From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Dan Rimal <dan@danrimal.net>
Cc: netfilter@vger.kernel.org
Subject: Re: nft chain route hook prerouting / postrouting
Date: Fri, 24 Jun 2016 19:40:27 +0200 [thread overview]
Message-ID: <20160624174027.GA5456@salvia> (raw)
In-Reply-To: <7a82f5ef-d22e-5d73-c46a-58043ee3fb09@danrimal.net>
Hi,
On Thu, Jun 16, 2016 at 10:44:10AM +0200, Dan Rimal wrote:
> Hello,
>
> I am trying to rewrite some our firewalls from iptables to nft and i am
> stucked on some iptables features.
>
> We have two uplinks from different ISP, so we have 2 different public IP
> adresses and LAN with NAT configuration.
>
> Now, we mark packets on input to distinguish where packet come from to
> our servers, and use this mark on "ip rule" to select appropriate
> routing table, when packet goes back to internet. First routing table
> have default route via ISP1, second routing table have default via ISP2,
> because we can not send SRC IP1 via ISP2 and vice versa (uRPF).
>
> Iptables do desired marking in this way:
>
> ## mark packet on input
> iptables -t mangle -A PREROUTING -i $INET_IFACE -j MARK --set-mark 100
> iptables -t mangle -A PREROUTING -i $INET2_IFACE -j MARK --set-mark 101
>
> ## save mark to conntrack when packet goes to LAN
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
> ## restore mark to response when packet goes to the internet
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
>
>
> On some routers, we even mark packet with mask, to preserve some qos
> information saved on mark by TC, for example:
>
>
> iptables -t mangle -A PREROUTING -i $INET_IFACE -j MARK --set-mark 201/0xff
>
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --mask 0xff
>
>
> Is there any way, how to implement this behaviour in nftables? I tryied
> to create chain type route hook prerouting/postrouting, but i have got:
>
> ./fw-base.nft:39:1-73: Error: Could not process rule: Operation not
> supported
> add chain ip route prerouting { type route hook prerouting priority 0; }
>
> I tryied other hook and looks like only output hook is available for
> now. Is it not implemented yet?
Please, use a plain filter chain type instead, eg.
add chain ip route prerouting { type filter hook prerouting priority 0; }
^^^^^^
The iptables mangle table only triggers the reroute semantics in the
output chain, ie. in other chains, mangle chains are behaving just
like filter chains.
prev parent reply other threads:[~2016-06-24 17:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-16 8:44 nft chain route hook prerouting / postrouting Dan Rimal
2016-06-24 17:40 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160624174027.GA5456@salvia \
--to=pablo@netfilter.org \
--cc=dan@danrimal.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox