Nftables 2 WAN

Nftables 2 WAN

[Daniel]

Hello,

I'm configuring a routeur which has 2 WAN, one being a tunnel over gre 
which is for bgp session accepting all ipv6 routes. I have 2 interfaces, 
eth0 which has 2 ipv6 addresses and gretunnel which has one ipv6 address.

Problem is that incoming ipv6 traffic to eth0 is going out through 
gretunnel. My rules are

fwtables="sudo nft"
myip="sudo ip"

# nft table mangle ip and ip6
#
$fwtables delete table ip mangle 2>/dev/null || true
$fwtables delete table ip6 mangle 2>/dev/null || true
$fwtables add table ip mangle 2>/dev/null || true
$fwtables add table ip6 mangle 2>/dev/null || true
$fwtables add chain ip6 mangle output "{ type nat hook output priority 
-150 ; policy accept ; }"
$fwtables add rule ip6 mangle output oifname != gretunnel meta mark set 
0x254
$fwtables add rule ip6 mangle output oifname gretunnel meta mark set 0x2

# nft table route
#
$fwtables add table ip6 route
$fwtables add chain ip6 route output
$fwtables add rule ip6 route output meta oif gretunnel meta mark != 0x2 
counter drop

# ip route mark
#
$myip rule add fwmark 0x254 table default
$myip rule add fwmark 0x2 table isp2
$myip route flush table isp2
$myip route add prohibit default table isp2

What is wrong with this setup ?

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Nftables 2 WAN

[Daniel]

Le 14/08/2020 à 18:27, Daniel a écrit :
> Hello,
>
> I'm configuring a routeur which has 2 WAN, one being a tunnel over gre 
> which is for bgp session accepting all ipv6 routes. I have 2 
> interfaces, eth0 which has 2 ipv6 addresses and gretunnel which has 
> one ipv6 address.
>
> Problem is that incoming ipv6 traffic to eth0 is going out through 
> gretunnel. My rules are
>
> fwtables="sudo nft"
> myip="sudo ip"
>
> # nft table mangle ip and ip6
> #
> $fwtables delete table ip mangle 2>/dev/null || true
> $fwtables delete table ip6 mangle 2>/dev/null || true
> $fwtables add table ip mangle 2>/dev/null || true
> $fwtables add table ip6 mangle 2>/dev/null || true
> $fwtables add chain ip6 mangle output "{ type nat hook output priority 
> -150 ; policy accept ; }"
> $fwtables add rule ip6 mangle output oifname != gretunnel meta mark 
> set 0x254
> $fwtables add rule ip6 mangle output oifname gretunnel meta mark set 0x2
>
> # nft table route
> #
> $fwtables add table ip6 route
> $fwtables add chain ip6 route output
> $fwtables add rule ip6 route output meta oif gretunnel meta mark != 
> 0x2 counter drop
>
> # ip route mark
> #
> $myip rule add fwmark 0x254 table default
> $myip rule add fwmark 0x2 table isp2
> $myip route flush table isp2
> $myip route add prohibit default table isp2
>
> What is wrong with this setup ?

UPDATE: I discover that the traffic I see on interface gretunnel is only 
the local generated one which is going out with the eth0 ipv6 address. I 
modify mangle table which now looks like

# nft table mangle ip6
#
$fwtables delete table ip6 mangle 2>/dev/null || true
$fwtables add table ip6 mangle 2>/dev/null || true
$fwtables add chain ip6 mangle output "{ type nat hook output priority 
-199 ; policy accept ; }"
$fwtables add rule ip6 mangle output meta oifname != "gretunnel" meta 
mark set 0x254 return
$fwtables add rule ip6 mangle output ip6 saddr 2a01:XXXX:YYYY:ZZZZ::1 
meta mark set 0x00000254 return
$fwtables add rule ip6 mangle output meta oifname "gretunnel" meta mark 
set 0x2

where 2a01:XXXX:YYYY:ZZZZ::1 is the eth0 ipv6 address but no luck, 
traffic still going out through gretunnel interface.

Thanks for any hint

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Nftables 2 WAN

[Pablo Neira Ayuso]

On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
[...]
> UPDATE: I discover that the traffic I see on interface gretunnel is only the
> local generated one which is going out with the eth0 ipv6 address. I modify
> mangle table which now looks like
> 
> # nft table mangle ip6
> #
> $fwtables delete table ip6 mangle 2>/dev/null || true
> $fwtables add table ip6 mangle 2>/dev/null || true
> $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
> ; policy accept ; }"

Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
NAT chains only see the first packet of flows.

Re: Nftables 2 WAN

[Daniel]

Le 16/08/2020 à 20:40, Pablo Neira Ayuso a écrit :
> On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
> [...]
>> UPDATE: I discover that the traffic I see on interface gretunnel is only the
>> local generated one which is going out with the eth0 ipv6 address. I modify
>> mangle table which now looks like
>>
>> # nft table mangle ip6
>> #
>> $fwtables delete table ip6 mangle 2>/dev/null || true
>> $fwtables add table ip6 mangle 2>/dev/null || true
>> $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
>> ; policy accept ; }"
> Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
> NAT chains only see the first packet of flows.

Because mangle is not accepted.

$fwtables add chain ip6 mangle output "{ type mangle hook output 
priority -199 ; policy accept ; }"

dh@peech:~$ sudo sh nft-mark.sh
Error: unknown chain type mangle
add chain ip6 mangle output { type mangle hook output priority -199 ; 
policy accept ; }

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Nftables 2 WAN

[Daniel]

Le 16/08/2020 à 23:27, Florian Westphal a écrit :
> Daniel <tech@tootai.net> wrote:
>> Le 16/08/2020 à 20:40, Pablo Neira Ayuso a écrit :
>>> On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
>>> [...]
>>>> UPDATE: I discover that the traffic I see on interface gretunnel is only the
>>>> local generated one which is going out with the eth0 ipv6 address. I modify
>>>> mangle table which now looks like
>>>>
>>>> # nft table mangle ip6
>>>> #
>>>> $fwtables delete table ip6 mangle 2>/dev/null || true
>>>> $fwtables add table ip6 mangle 2>/dev/null || true
>>>> $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
>>>> ; policy accept ; }"
>>> Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
>>> NAT chains only see the first packet of flows.
>> Because mangle is not accepted.
> :-)
>
> Its 'route'.  You need this for output in case you want to re-route the
> packet if e.g. skb->mark has been altered.
>
> Default 'filter' won't do that.

Like this ?

$fwtables add chain ip6 mangle output "{ type route hook output priority 
-199 ; policy accept ; }"

No changes.

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Nftables 2 WAN

[Florian Westphal]

Daniel <tech@tootai.net> wrote:
> 
> Le 16/08/2020 à 23:27, Florian Westphal a écrit :
> > Daniel <tech@tootai.net> wrote:
> > > Le 16/08/2020 à 20:40, Pablo Neira Ayuso a écrit :
> > > > On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
> > > > [...]
> > > > > UPDATE: I discover that the traffic I see on interface gretunnel is only the
> > > > > local generated one which is going out with the eth0 ipv6 address. I modify
> > > > > mangle table which now looks like
> > > > > 
> > > > > # nft table mangle ip6
> > > > > #
> > > > > $fwtables delete table ip6 mangle 2>/dev/null || true
> > > > > $fwtables add table ip6 mangle 2>/dev/null || true
> > > > > $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
> > > > > ; policy accept ; }"
> > > > Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
> > > > NAT chains only see the first packet of flows.
> > > Because mangle is not accepted.
> > :-)
> > 
> > Its 'route'.  You need this for output in case you want to re-route the
> > packet if e.g. skb->mark has been altered.
> > 
> > Default 'filter' won't do that.
> 
> Like this ?
> 
> $fwtables add chain ip6 mangle output "{ type route hook output priority
> -199 ; policy accept ; }"
> 
> No changes.

Then you have another problem.  Make sure that
ip route get $daddr and/or ip route get $daddr mark $MARK

give the expected results, then make sure the ip6 output chain that
serves as 'route' logic marks those packets correctly.