validate IPsec outgoing packets using NFtables

validate IPsec outgoing packets using NFtables

[Olivier Alabeatrix]

Hi!

Using Debian 10/nftables v0.9.0, i'm having troubles having nftables
validate outgoing ipsec packets using the secpath meta.
This is part of a ruleset on R1, an IPsec gateway, that is supposed to
only forward traffic between 172.16.11.0/24 and 172.16.12.0/24 if it is
secured by Ipsec:

172.16.11.0/24-R1-----ESP-----R2-172.16.12.0/24

chain forward {
                type filter hook forward priority 0; policy drop;
		ip saddr 172.16.12.0/24 ip daddr 172.16.11.0/24 meta
secpath exists counter accept
		ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 counter
accept
		log prefix "NFtables: FWD:"
                counter drop
        }


chain postrouting {
		type filter hook forward priority 0; policy drop;
#never matching:
		ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 meta
secpath exists counter accept
		ip saddr 172.16.12.0/24 ip daddr 172.16.12.0/24 counter
accept
		log prefix "NFtables: POST:"
		counter drop
	}

While the forward chaine does match incoming ipsec-secured packets
using:

ip saddr 172.16.12.0/24 ip daddr 172.16.11.0/24 meta secpath exists
counter accept

The postrouting chain secpath rule never matches:
ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 meta secpath exists
counter accept

What may I be doing wrong? Any help is welcomed.

 

Re: validate IPsec outgoing packets using NFtables

[Florian Westphal]

Olivier Alabeatrix <oalabeatrix@gmail.com> wrote:
> The postrouting chain secpath rule never matches:
> ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 meta secpath exists
> counter accept
> 
> What may I be doing wrong? Any help is welcomed.

Outgoing packets do not have a secpath, you will need to use
'rt ipsec exists'.