From: Florian Westphal <fw@strlen.de>
To: netfilter@vger.kernel.org
Subject: Re: NFQUEUE usage and interaction with later chain rules
Date: Mon, 15 Apr 2024 15:20:28 +0200 [thread overview]
Message-ID: <20240415132028.GA7880@breakpoint.cc> (raw)
In-Reply-To: <Zh0Y-j3NAbRmAi03@fysh.org>
Athanasius <netfilter.org@miggy.org> wrote:
> I'm in the middle of trying to implement some firewall bans based on
> GeoIP data. It seemed that implementing an NFQUEUE userspace helper
> to do the lookups and decision making was the most feasible solution,
For IP matching? Use ipset or xt_geoip from xtables addons, much
simpler and faster...
> but I have run into some issues. I can probably work around them,
> but it does make this setup more fragile than I'd like.
>
> So, I'd like to ensure I'm properly understanding some things.
>
> 1. The only practical verdicts the userspace helper can return are
> ACCEPT or DROP. Checking through some documentation, examples, and
> kernel code I've come across 'STOLEN', 'QUEUE' and 'REPEAT', but I
> cannot find any actual documentation on what these might achieve.
You can accept, drop, queue (pass packet to queue/program), or repeat,
which will make the packet reenter the same ruleset, i.e. its queued
again unless you use mark tricks to avoid that.
STOLEN cannot be used, its kernel internal.
> 2. There appears to be no way to have an NFQUEUE rule act in a manner
> where the userspace verdict can cause subsequent rules in the chain to
> be considered.
Yes.
> I'd specifically like my userspace helper to be able to say 'DROP',
> but otherwise allow rule evaluation to continue in the chain, rather
> than blindly accepting all else.
Thats impossible to do.
> If I could cause rule evaluation to jump to another chain that would
> also be acceptable, simply placing rules that would normally be later
> in the current chain into that one.
Same.
> there's no userspace helper listening to the queue... but this literally
> turns the rule into an ACCEPT, rather than passing evaluation to later
> rules. Presumably the 'fail open' socket option, to not cause all
> packets to be dropped if the queue buffer is filled, has the same issue.
> It's then blind ACCEPT rather than "let later rules look at the packet".
Right.
> Is any of my understanding in error? Can I actually implement this
> how I'd prefer, with later rules being evaulated upon some specific
> verdict returned from userspace ?
No. It would require significant rewrites on the kernel side, nfqueue
would have to be moved from core into xt_NFQUEUE and nft_queue,
respectively, with nftables/xtables specific changes to support what
you want, and such change would also break backwards compatibility.
I don't think this is going to happen.
prev parent reply other threads:[~2024-04-15 13:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 12:09 NFQUEUE usage and interaction with later chain rules Athanasius
2024-04-15 13:08 ` Athanasius
2024-04-15 13:20 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240415132028.GA7880@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).