* Proper way to ipsec filtering
@ 2022-04-17 6:37 Kamil Jońca
2022-04-18 10:14 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Kamil Jońca @ 2022-04-17 6:37 UTC (permalink / raw)
To: netfilter
What is the best way to create rules used to ipsec traffic filtering?
So far I have bunch rules created per reqid like that:
table ip filter { # handle 13
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
[...]
}
[...]
chain ipsec-in-1 { # handle 323
ip saddr yyy ip daddr xxxx/24 counter packets 50871 bytes 5614784 jump c1 # handle 325
ip protocol ipencap ip daddr zzzz counter packets 49801 bytes 5878107 accept # handle 324
}
}
And insert / remove rules from INPUT (and add / delete ipsec-in-*
chains) during connecting disconnecting clients.
This was I configured when I migrated from iptables some time ago.
But I believe this is not the best method for nftables. So has anybody
suggestion what is the best practicte to handle this situation?
I tried to use maps/vmaps but reqid cannot be use as index.
Am I missing something?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Proper way to ipsec filtering 2022-04-17 6:37 Proper way to ipsec filtering Kamil Jońca @ 2022-04-18 10:14 ` Florian Westphal 2022-04-18 20:41 ` Kamil Jońca 0 siblings, 1 reply; 3+ messages in thread From: Florian Westphal @ 2022-04-18 10:14 UTC (permalink / raw) To: Kamil Jońca; +Cc: netfilter Kamil Jo≈Ñca <kjonca@op.pl> wrote: > What is the best way to create rules used to ipsec traffic filtering? > > So far I have bunch rules created per reqid like that: > table ip filter { # handle 13 > > chain INPUT { # handle 1 > type filter hook input priority filter; policy drop; > iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326 > [...] [..] > But I believe this is not the best method for nftables. So has anybody > suggestion what is the best practicte to handle this situation? > I tried to use maps/vmaps but reqid cannot be use as index. Thats a bug / missing feature, it should be possible to use reqid in concatenated keys too. I've sent a patch for this: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@strlen.de/ ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Proper way to ipsec filtering 2022-04-18 10:14 ` Florian Westphal @ 2022-04-18 20:41 ` Kamil Jońca 0 siblings, 0 replies; 3+ messages in thread From: Kamil Jońca @ 2022-04-18 20:41 UTC (permalink / raw) To: netfilter Florian Westphal <fw@strlen.de> writes: [...] > Thats a bug / missing feature, it should be possible to use reqid in concatenated keys > too. I've sent a patch for this: > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@strlen.de/ > Well, I cloned repo, and compiled against my debian test sid box. Seems to work as expected. Thank you. So now I have to wait when debian adopt it. :) Thanks again. KJ -- http://wolnelektury.pl/wesprzyj/teraz/ ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-18 20:41 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-04-17 6:37 Proper way to ipsec filtering Kamil Jońca 2022-04-18 10:14 ` Florian Westphal 2022-04-18 20:41 ` Kamil Jońca
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.