From: Patrick McHardy <kaber@trash.net>
To: Eric Leblond <eric@regit.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft] parser: support reject unreach|reset
Date: Tue, 4 Mar 2014 09:01:32 +0000 [thread overview]
Message-ID: <20140304090132.GD5094@macbook.localnet> (raw)
In-Reply-To: <1393882892.19488.14.camel@ice-age2.regit.org>
On Mon, Mar 03, 2014 at 10:41:32PM +0100, Eric Leblond wrote:
> Hello,
>
> On Mon, 2014-03-03 at 22:12 +0100, Florian Westphal wrote:
> > reject did not allow to use tcp reset instead of icmp unreach.
>
> I'm currently working on a patchset to support this and also setting the
> ICMP code. But I'm fighting on the ICMP code filtering.
>
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > After this patch its possibe to do something like
> >
> > rule filter output reject reset
>
> I found syntax a bit short ;) If we add ICMP code support
> and follow the logic:
>
> rule filter output reject administratively-prohibited
>
> My plan was to do something like:
>
> rule filter output reject with tcp reset
> rule filter output reject with icmp|code administratively-prohibited
I really prefer a less bloated syntax. For TCP reset simply stating:
filter output tcp dport 22 reset
is both understandable and contains all necessary information. For ICMP
types I guess we could live with the "with" keyword, although I prefer
filter output reject [ network-unreachable | ... ]
or something like that.
> > Which makes kernel generate bogus tcp resets in repsonse
> > to non-tcp packets.
> >
> > In iptables this is avoided by making checkentry fail if -p tcp is not
> > specified when tcp-reset is requested.
> >
> > How should this be handled in nft?
>
> Good point. It looks a bit like what Patrick did mention in "Re:
> [nftables RFC PATCH 0/1] implementing icmp code filterin"
>
> "We do something similar in ct_expr_update_type() for ct expressions."
>
> Idea is to update the entry and in this case to output an error if we
> don't have tcp. But I'm not sure we can access to the other expressions
> (and henve to the TCP or not info) in that point.
This is actually easier than the ICMP case, the protocol context contains
all necessary information. Unlike iptables we execute statements at the
point where they occur in the rule, so the user is expected to use some
logical ordering in his statements:
"tcp dport ssh reset" instead of "reset tcp dport ssh".
Meaning we have the full protocol context available.
next prev parent reply other threads:[~2014-03-04 9:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 21:12 [PATCH nft] parser: support reject unreach|reset Florian Westphal
2014-03-03 21:41 ` Eric Leblond
2014-03-03 22:03 ` Florian Westphal
2014-03-04 9:08 ` Patrick McHardy
2014-03-04 9:01 ` Patrick McHardy [this message]
2014-03-04 8:50 ` Patrick McHardy
2014-03-04 9:03 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140304090132.GD5094@macbook.localnet \
--to=kaber@trash.net \
--cc=eric@regit.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).