* Nftables 2 WAN
@ 2020-08-14 16:27 Daniel
2020-08-14 21:26 ` Daniel
0 siblings, 1 reply; 6+ messages in thread
From: Daniel @ 2020-08-14 16:27 UTC (permalink / raw)
To: Netfilter list
Hello,
I'm configuring a routeur which has 2 WAN, one being a tunnel over gre
which is for bgp session accepting all ipv6 routes. I have 2 interfaces,
eth0 which has 2 ipv6 addresses and gretunnel which has one ipv6 address.
Problem is that incoming ipv6 traffic to eth0 is going out through
gretunnel. My rules are
fwtables="sudo nft"
myip="sudo ip"
# nft table mangle ip and ip6
#
$fwtables delete table ip mangle 2>/dev/null || true
$fwtables delete table ip6 mangle 2>/dev/null || true
$fwtables add table ip mangle 2>/dev/null || true
$fwtables add table ip6 mangle 2>/dev/null || true
$fwtables add chain ip6 mangle output "{ type nat hook output priority
-150 ; policy accept ; }"
$fwtables add rule ip6 mangle output oifname != gretunnel meta mark set
0x254
$fwtables add rule ip6 mangle output oifname gretunnel meta mark set 0x2
# nft table route
#
$fwtables add table ip6 route
$fwtables add chain ip6 route output
$fwtables add rule ip6 route output meta oif gretunnel meta mark != 0x2
counter drop
# ip route mark
#
$myip rule add fwmark 0x254 table default
$myip rule add fwmark 0x2 table isp2
$myip route flush table isp2
$myip route add prohibit default table isp2
What is wrong with this setup ?
--
Daniel Huhardeaux
+33.368460088@tootai.net sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch tootaiNET
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Nftables 2 WAN
2020-08-14 16:27 Nftables 2 WAN Daniel
@ 2020-08-14 21:26 ` Daniel
2020-08-16 18:40 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Daniel @ 2020-08-14 21:26 UTC (permalink / raw)
To: Netfilter list
Le 14/08/2020 à 18:27, Daniel a écrit :
> Hello,
>
> I'm configuring a routeur which has 2 WAN, one being a tunnel over gre
> which is for bgp session accepting all ipv6 routes. I have 2
> interfaces, eth0 which has 2 ipv6 addresses and gretunnel which has
> one ipv6 address.
>
> Problem is that incoming ipv6 traffic to eth0 is going out through
> gretunnel. My rules are
>
> fwtables="sudo nft"
> myip="sudo ip"
>
> # nft table mangle ip and ip6
> #
> $fwtables delete table ip mangle 2>/dev/null || true
> $fwtables delete table ip6 mangle 2>/dev/null || true
> $fwtables add table ip mangle 2>/dev/null || true
> $fwtables add table ip6 mangle 2>/dev/null || true
> $fwtables add chain ip6 mangle output "{ type nat hook output priority
> -150 ; policy accept ; }"
> $fwtables add rule ip6 mangle output oifname != gretunnel meta mark
> set 0x254
> $fwtables add rule ip6 mangle output oifname gretunnel meta mark set 0x2
>
> # nft table route
> #
> $fwtables add table ip6 route
> $fwtables add chain ip6 route output
> $fwtables add rule ip6 route output meta oif gretunnel meta mark !=
> 0x2 counter drop
>
> # ip route mark
> #
> $myip rule add fwmark 0x254 table default
> $myip rule add fwmark 0x2 table isp2
> $myip route flush table isp2
> $myip route add prohibit default table isp2
>
> What is wrong with this setup ?
UPDATE: I discover that the traffic I see on interface gretunnel is only
the local generated one which is going out with the eth0 ipv6 address. I
modify mangle table which now looks like
# nft table mangle ip6
#
$fwtables delete table ip6 mangle 2>/dev/null || true
$fwtables add table ip6 mangle 2>/dev/null || true
$fwtables add chain ip6 mangle output "{ type nat hook output priority
-199 ; policy accept ; }"
$fwtables add rule ip6 mangle output meta oifname != "gretunnel" meta
mark set 0x254 return
$fwtables add rule ip6 mangle output ip6 saddr 2a01:XXXX:YYYY:ZZZZ::1
meta mark set 0x00000254 return
$fwtables add rule ip6 mangle output meta oifname "gretunnel" meta mark
set 0x2
where 2a01:XXXX:YYYY:ZZZZ::1 is the eth0 ipv6 address but no luck,
traffic still going out through gretunnel interface.
Thanks for any hint
--
Daniel Huhardeaux
+33.368460088@tootai.net sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch tootaiNET
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Nftables 2 WAN
2020-08-14 21:26 ` Daniel
@ 2020-08-16 18:40 ` Pablo Neira Ayuso
2020-08-16 21:24 ` Daniel
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-08-16 18:40 UTC (permalink / raw)
To: Daniel; +Cc: Netfilter list
On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
[...]
> UPDATE: I discover that the traffic I see on interface gretunnel is only the
> local generated one which is going out with the eth0 ipv6 address. I modify
> mangle table which now looks like
>
> # nft table mangle ip6
> #
> $fwtables delete table ip6 mangle 2>/dev/null || true
> $fwtables add table ip6 mangle 2>/dev/null || true
> $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
> ; policy accept ; }"
Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
NAT chains only see the first packet of flows.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Nftables 2 WAN
2020-08-16 18:40 ` Pablo Neira Ayuso
@ 2020-08-16 21:24 ` Daniel
[not found] ` <20200816212759.GJ1660@breakpoint.cc>
0 siblings, 1 reply; 6+ messages in thread
From: Daniel @ 2020-08-16 21:24 UTC (permalink / raw)
Cc: Netfilter list
Le 16/08/2020 à 20:40, Pablo Neira Ayuso a écrit :
> On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
> [...]
>> UPDATE: I discover that the traffic I see on interface gretunnel is only the
>> local generated one which is going out with the eth0 ipv6 address. I modify
>> mangle table which now looks like
>>
>> # nft table mangle ip6
>> #
>> $fwtables delete table ip6 mangle 2>/dev/null || true
>> $fwtables add table ip6 mangle 2>/dev/null || true
>> $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
>> ; policy accept ; }"
> Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
> NAT chains only see the first packet of flows.
Because mangle is not accepted.
$fwtables add chain ip6 mangle output "{ type mangle hook output
priority -199 ; policy accept ; }"
dh@peech:~$ sudo sh nft-mark.sh
Error: unknown chain type mangle
add chain ip6 mangle output { type mangle hook output priority -199 ;
policy accept ; }
--
Daniel Huhardeaux
+33.368460088@tootai.net sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch tootaiNET
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-08-16 21:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-14 16:27 Nftables 2 WAN Daniel
2020-08-14 21:26 ` Daniel
2020-08-16 18:40 ` Pablo Neira Ayuso
2020-08-16 21:24 ` Daniel
[not found] ` <20200816212759.GJ1660@breakpoint.cc>
2020-08-16 21:39 ` Daniel
2020-08-16 21:54 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox