From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Tom <tom@foscore.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: proper ICMPv6 syntax for specific daddr
Date: Wed, 7 Sep 2022 16:39:48 +0200 [thread overview]
Message-ID: <YxitNE+Csp6f9n/N@salvia> (raw)
In-Reply-To: <dc512913-d28a-9224-ad5a-e68828975766@foscore.com>
On Wed, Sep 07, 2022 at 10:10:41AM -0400, Tom wrote:
> I can successfully enable ping for IPv6 using this rule:
>
> nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
>
> I have one physical ethernet card which is assigned five IPv6 addresses.
> What I want to do is enable it for only 2 of 5 IPv6 addresses, like so:
>
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept
Please, don't use "ip6 nexthdr", this strictly means "check for the
IPv6 nexthdr field of the IPv6 header", which is not what you might
need. See:
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
Instead, use "meta l4proto" which already parses the IPv6 extension
headers up to the layer 4 header.
> ...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
> rule still works but now the first doesn't. I've tried using sets like so:
>
> nft add rule ip6 filter input ip6 daddr @trusted ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr @admin ip6 nexthdr icmpv6 counter limit rate 5/second accept
OK, this is using sets, but still looking like iptables+ipset.
Better use concatenations and sets:
table ip6 x {
set y {
typeof ip6 daddr . meta l4proto
limit rate 5/second
elements = { aaaa:43:a:83::5 . icmpv6 limit rate 5/second,
aaaa:43:a:83::6 . icmpv6 limit rate 5/second }
}
chain m {
type filter hook prerouting priority filter; policy drop;
ip6 daddr . meta l4proto @y accept
}
}
Probably, nft -o/--optimize might offer more of these transformations
in the future.
next prev parent reply other threads:[~2022-09-07 14:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 14:10 proper ICMPv6 syntax for specific daddr Tom
2022-09-07 14:39 ` Pablo Neira Ayuso [this message]
2022-09-07 15:13 ` Tom
2022-09-07 14:58 ` Florian Westphal
2022-09-07 15:22 ` Tom
2022-09-07 15:25 ` Pablo Neira Ayuso
[not found] <dea61421-4ce1-bb68-2a74-88b6f42c299e@foscore.com>
2022-09-07 15:57 ` Fwd: " Tom
2022-09-08 8:46 ` Reindl Harald
2022-09-08 13:31 ` Tom
2022-09-08 14:23 ` Reindl Harald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YxitNE+Csp6f9n/N@salvia \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=tom@foscore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.