Linux Netfilter discussions
 help / color / mirror / Atom feed
* Constraints on nft expressions and statements in inet ingress chains
@ 2021-02-08 15:49 Frank Myhr
  2021-02-08 16:32 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Frank Myhr @ 2021-02-08 15:49 UTC (permalink / raw)
  To: netfilter

Hi,

Since nftables 0.9.7 and kernel 5.10 we have inet ingress chains. It's 
great to now be able to share sets and maps among ingress and other inet 
chains!

I'm wondering about constraints on nft expressions and statements that 
can be used in inet ingress chains?

Some clearly make no sense, like:
- anything involving an output interface
- anything related to conntrack (I think)
- packet mark (I think)

Not sure about:
- reject statement (pretty sure not)
- ah & esp header expressions?
- raw payload expression?
- extension header expressions?

Seem to work, but are they a good idea this early in processing?:
- tcp header & udp header expressions? If IP datagrams are fragmented, 
these matches will miss all but first fragment, correct? (Since 
defragmentation doesn't happen until prerouting?)

My general impression is that inet ingress filtering on L3 IPv4 and IPv6 
header expressions like ip saddr, ip daddr is okay, but trying to reach 
into L4 so early will be problematic...

Thanks for your comments / correction / clarification!

Thanks,
Frank

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-08 18:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-08 15:49 Constraints on nft expressions and statements in inet ingress chains Frank Myhr
2021-02-08 16:32 ` Florian Westphal
2021-02-08 18:01   ` Frank Myhr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox