Mixed IPv4+IPv6 sets

Mixed IPv4+IPv6 sets

[Wilmer van der Gaast]

Hello,

The "inet" family is a great idea for unifying IPv4 and IPv6 
firewalling, but I just ran into one thing I'm missing.

nft lets me define sets with both IPv4 and IPv6 addresses, but once I 
try using them things go wrong - I assume this means that the addresses 
aren't actually parsed until that point?

I can invoke the set from an ip match, and it will complain about IPv6 
addresses in the list being invalid. And vice versa, invoke the set from 
an "ip6" match and the IPv4 addresses will cause parse errors.

Would it be possible to either have an "inet" match rule, or tell nft to 
skip unknown address families so I could just invoke the set twice, once 
using "ip" and once using "ip6" match rule, without running into syntax 
errors?

I could of course just define two separate sets to get something similar 
to my alternative idea, and maybe I'll try that, but it gets kludgier 
that way. :-(


Kind regards,

Wilmer van der Gaast.
-- 
+-------- .''`.     - -- ---+  +        - -- --- ---- ----- ------+
| wilmer : :'  :  gaast.net |  | OSS Programmer   www.bitlbee.org |
| lintux `. `~'  debian.org |  | Full-time geek  wilmer.gaast.net |
+--- -- -  ` ---------------+  +------ ----- ---- --- -- -        +

Re: Mixed IPv4+IPv6 sets

[Pablo Neira Ayuso]

On Sun, Sep 06, 2015 at 07:52:47PM +0100, Wilmer van der Gaast wrote:
> Hello,
> 
> The "inet" family is a great idea for unifying IPv4 and IPv6
> firewalling, but I just ran into one thing I'm missing.
> 
> nft lets me define sets with both IPv4 and IPv6 addresses, but once
> I try using them things go wrong - I assume this means that the
> addresses aren't actually parsed until that point?
> 
> I can invoke the set from an ip match, and it will complain about
> IPv6 addresses in the list being invalid. And vice versa, invoke the
> set from an "ip6" match and the IPv4 addresses will cause parse
> errors.
> 
> Would it be possible to either have an "inet" match rule, or tell
> nft to skip unknown address families so I could just invoke the set
> twice, once using "ip" and once using "ip6" match rule, without
> running into syntax errors?
> 
> I could of course just define two separate sets to get something
> similar to my alternative idea, and maybe I'll try that, but it gets
> kludgier that way. :-(

Could you illustrate with examples what you would like to have and the
limitations you currently hitting?

Thanks.

Re: Mixed IPv4+IPv6 sets

[Arturo Borrero Gonzalez]

On 7 September 2015 at 20:50, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sun, Sep 06, 2015 at 07:52:47PM +0100, Wilmer van der Gaast wrote:
>> Hello,
>>
>> The "inet" family is a great idea for unifying IPv4 and IPv6
>> firewalling, but I just ran into one thing I'm missing.
>>
>> nft lets me define sets with both IPv4 and IPv6 addresses, but once
>> I try using them things go wrong - I assume this means that the
>> addresses aren't actually parsed until that point?
>>
>> I can invoke the set from an ip match, and it will complain about
>> IPv6 addresses in the list being invalid. And vice versa, invoke the
>> set from an "ip6" match and the IPv4 addresses will cause parse
>> errors.
>>
>> Would it be possible to either have an "inet" match rule, or tell
>> nft to skip unknown address families so I could just invoke the set
>> twice, once using "ip" and once using "ip6" match rule, without
>> running into syntax errors?
>>
>> I could of course just define two separate sets to get something
>> similar to my alternative idea, and maybe I'll try that, but it gets
>> kludgier that way. :-(
>
> Could you illustrate with examples what you would like to have and the
> limitations you currently hitting?
>

I guess Wilmer is talking about multi-datatype sets (IPv4 and IPv6
mixed addresses). That would be a nice feature indeed.

@Wilmer: AFAIK thats not possible by now. It would require some
changes in the kernel.
Among other things, IPv4 and IPv6 addresses have different lengths. I
guess it would require a special syntax in userspace for the anon-set
case as well.

This seems to be the expected behaviour right now:

 # nft add rule inet filter input ip6 saddr @ipv4_set
<cmdline>:1:38-42: Error: datatype mismatch, expected IPv6 address,
set has type IPv4 address
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Mixed IPv4+IPv6 sets

[Wilmer van der Gaast]

On 07-09-15 19:50, Pablo Neira Ayuso wrote:
> 
> Could you illustrate with examples what you would like to have and the
> limitations you currently hitting?
> 
So what I was trying to do is define sets with my local + trusted
networks. So for example:

define local = {
	192.168.0.0/24,
	2001:888:1001:1::/64,
}

define trusted = {
	$local
	87.198.233.214,
	2001:888:1001::/48,
}

So I'd use these as whitelists, could use $trusted as a wider whitelist
for all my networks and $local as just for completely local traffic.
Containing IPv4 and IPv6 addresses/networks.

Now I'd love to be able to just, for example (and apologies for the
likely wrong syntax, I have not been able to start using nftables in
full, just experimenting):

table inet filter {
	chain forward {
		type filter hook forward priority 0;
		...
		# (Mostly) don't filter traffic from my trusted nets
		inet saddr $trusted accept;
		# Filter the rest more strictly.
		...
	}
}

This won't work because inet is not an existing match rule. I can have
an "inet" table but it still needs to have ip and ip6 match rules
separately. It is nice that many other rules just work like for example
tcp/udp and ct.

Now if I could just do:

		# (Mostly) don't filter traffic from my trusted nets
		ip saddr $trusted accept;
		ip6 saddr $trusted accept;

somehow and have nft take just the v4 and just the v6 addresses for each
line, that would also be workable. Or what I tried doing (but then I ran
into the crash bug I've just reported), is separate the two whitelists
completely and do:

		# (Mostly) don't filter traffic from my trusted nets
		ip saddr $trusted4 accept;
		ip6 saddr $trusted6 accept;

The latter would work and is not bad, just kludgy. Being able to just
refer to a single mixed set of addresses from a single rule would
certainly be the most convenient, as one more step towards fully
unifying IPv4 + IPv6 filtering.


Kind regards,

Wilmer van der Gaast.

-- 
+-------- .''`.     - -- ---+  +        - -- --- ---- ----- ------+
| wilmer : :'  :  gaast.net |  | OSS Programmer   www.bitlbee.org |
| lintux `. `~'  debian.org |  | Full-time geek  wilmer.gaast.net |
+--- -- -  ` ---------------+  +------ ----- ---- --- -- -        +

Re: Mixed IPv4+IPv6 sets

[Wilmer van der Gaast]

Sorry, I had sent a response to Pablo's request but forgot to hit
Reply-to-All. :-( Strangely Thunderbird did not show the message in
sent-mail at the time but it's there now, I'll repost it for the archives.

On 08-09-15 09:21, Arturo Borrero Gonzalez wrote:
> 
> I guess Wilmer is talking about multi-datatype sets (IPv4 and IPv6
> mixed addresses). That would be a nice feature indeed.
> 
Correct. And what I had noticed is that a file with mixed static (or
anon you call it?) sets (the ones with a $-prefixed name that as far as
I can tell can not be modified later and are expanded at parsing time)
is accepted if the sets are not used. Just none of the matches are very
happy with it since there's no multi-datatype matcher?

> @Wilmer: AFAIK thats not possible by now. It would require some
> changes in the kernel.

In the other message I have a workaround suggestion that would allow for
the mixed set in the file and just IPv4- and IPv6-specific references to
it. How reasonable would that be?


Kind regards,

Wilmer v/d Gaast.

-- 
+-------- .''`.     - -- ---+  +        - -- --- ---- ----- ------+
| wilmer : :'  :  gaast.net |  | OSS Programmer   www.bitlbee.org |
| lintux `. `~'  debian.org |  | Full-time geek  wilmer.gaast.net |
+--- -- -  ` ---------------+  +------ ----- ---- --- -- -        +