proper ICMPv6 syntax for specific daddr

proper ICMPv6 syntax for specific daddr

[Tom]

I can successfully enable ping for IPv6 using this rule:

nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept

I have one physical ethernet card which is assigned five IPv6 addresses.
What I want to do is enable it for only 2 of 5 IPv6 addresses, like so:

nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept

...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
rule still works but now the first doesn't.  I've tried using sets like so:

nft add rule ip6 filter input ip6 daddr @trusted ip6 nexthdr icmpv6 counter limit rate 5/second accept
nft add rule ip6 filter input ip6 daddr @admin ip6 nexthdr icmpv6 counter limit rate 5/second accept

... with the same result: the second rule is ignored. What am I doing wrong? Is there something about ICMP and multiple IP addresses

on one interface that I'm not aware of? How do I write multiple rules that each enable one daddr?

Re: proper ICMPv6 syntax for specific daddr

[Pablo Neira Ayuso]

On Wed, Sep 07, 2022 at 10:10:41AM -0400, Tom wrote:
> I can successfully enable ping for IPv6 using this rule:
> 
> nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
> 
> I have one physical ethernet card which is assigned five IPv6 addresses.
> What I want to do is enable it for only 2 of 5 IPv6 addresses, like so:
> 
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept

Please, don't use "ip6 nexthdr", this strictly means "check for the
IPv6 nexthdr field of the IPv6 header", which is not what you might
need. See:

https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers

Instead, use "meta l4proto" which already parses the IPv6 extension
headers up to the layer 4 header.

> ...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
> rule still works but now the first doesn't.  I've tried using sets like so:
> 
> nft add rule ip6 filter input ip6 daddr @trusted ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr @admin ip6 nexthdr icmpv6 counter limit rate 5/second accept

OK, this is using sets, but still looking like iptables+ipset.

Better use concatenations and sets:

table ip6 x {
        set y {
                typeof ip6 daddr . meta l4proto
                limit rate 5/second
                elements = { aaaa:43:a:83::5 . icmpv6 limit rate 5/second,
                             aaaa:43:a:83::6 . icmpv6 limit rate 5/second }
        }

        chain m {
                type filter hook prerouting priority filter; policy drop;
                ip6 daddr . meta l4proto @y accept
        }
}

Probably, nft -o/--optimize might offer more of these transformations
in the future.

Re: proper ICMPv6 syntax for specific daddr

[Florian Westphal]

Tom <tom@foscore.com> wrote:
> I can successfully enable ping for IPv6 using this rule:
> 
> nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept

This is not related to ping, this ratelimits ALL of icmpv6.

Please use 'icmpv6 type { echo-request, echo-reply}'.

> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> 
> ...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
> rule still works but now the first doesn't.  I've tried using sets like so:

icmpv6 is integral part of ipv6, the above will ratelimit neighbour
solicitations, pmtu updates and so on as well.

Re: proper ICMPv6 syntax for specific daddr

[Tom]

On 2022-09-07 10:39, Pablo Neira Ayuso wrote:
> Please, don't use "ip6 nexthdr", this strictly means "check for the
> IPv6 nexthdr field of the IPv6 header", which is not what you might
> need. See:
> https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
> Instead, use "meta l4proto" which already parses the IPv6 extension
> headers up to the layer 4 header.

OK thanks. WillCo.

> Better use concatenations and sets:
> table ip6 x {
>          set y {
>                  typeof ip6 daddr . meta l4proto
>                  limit rate 5/second
>                  elements = { aaaa:43:a:83::5 . icmpv6 limit rate 5/second,
>                               aaaa:43:a:83::6 . icmpv6 limit rate 5/second }
>          }
>          chain m {
>                  type filter hook prerouting priority filter; policy drop;
>                  ip6 daddr . meta l4proto @y accept
>          }
> }

Worked like a charm. Thanks again.

> Probably, nft -o/--optimize might offer more of these transformations
> in the future.

Good to know!

Re: proper ICMPv6 syntax for specific daddr

[Tom]

On 2022-09-07 10:58, Florian Westphal wrote:
> Tom <tom@foscore.com> wrote:
>> nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
> This is not related to ping, this ratelimits ALL of icmpv6.
> Please use 'icmpv6 type { echo-request, echo-reply}'.
> icmpv6 is integral part of ipv6, the above will ratelimit neighbour
> solicitations, pmtu updates and so on as well.

Ooh, that's not good. What about this, recommended by Pablo:

table ip6 filter {
	set ping6 {
		typeof ip6 daddr . meta l4proto
		limit rate 5/second
		elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
			     xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
			     xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
	}
	chain input {
		type filter hook input priority filter; policy drop;
		ip6 daddr . meta l4proto @ping6 accept
	}

Is this OK?

Re: proper ICMPv6 syntax for specific daddr

[Pablo Neira Ayuso]

On Wed, Sep 07, 2022 at 11:22:24AM -0400, Tom wrote:
> On 2022-09-07 10:58, Florian Westphal wrote:
> > Tom <tom@foscore.com> wrote:
> > > nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
> > This is not related to ping, this ratelimits ALL of icmpv6.
> > Please use 'icmpv6 type { echo-request, echo-reply}'.
> > icmpv6 is integral part of ipv6, the above will ratelimit neighbour
> > solicitations, pmtu updates and so on as well.
> 
> Ooh, that's not good. What about this, recommended by Pablo:
> 
> table ip6 filter {
> 	set ping6 {
> 		typeof ip6 daddr . meta l4proto
> 		limit rate 5/second
> 		elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
> 			     xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
> 			     xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
> 	}
> 	chain input {
> 		type filter hook input priority filter; policy drop;
> 		ip6 daddr . meta l4proto @ping6 accept
> 	}
> 
> Is this OK?

My recommendation is to use concatenations and sets, not to ratelimit
_all_ icmpv6 traffic ;-)

Re: proper ICMPv6 syntax for specific daddr

[Tom]

On 2022-09-08 04:46, Reindl Harald wrote:
> Am 07.09.22 um 17:57 schrieb Tom:
>> Now I'm confused. I'd like to avoid ping floods if possible
> but that makes no sense when doing more harm than good - the knee-jerk reaction kill all icmp is a problem for decades even on IPv4 but will no longer work with IPv6

Who said I wanted to kill all ICMP? Isn't it obvious that I'm trying to write a rule that allows it?

>> but I can't seem to get the syntax right, so:
>> enable ping6 rate limiting without crippling icmpv6, please do!

> one of the responses contained "Please use 'icmpv6 type { echo-request, echo-reply}'"

Yes I saw that. As I pointed out, I can't get the syntax right which specifies type in a set and also limits rates. That's why I dropped rate limits.
  
> why do you make all that so complicated instead write a simple ratelimit rule for ping apply to everyone and *before* have a set which ACCEPTs a specific list of ip's if that's needed at all

OK, sounds good. Perhaps you're under the mistaken impression I'm a NFT expert. Clearly I'm not. Perhaps you could suggest a resource where I might find examples which solve my problem. Better yet, you could provide a practical example. It would be appreciated.

> "I'd like to avoid ping floods if possible" don't scale at all with a manually maintained list of source ips and i can't think of anybody with a justification of more than 5 pings per second

Except they're not source IPs, They are destination IPs. The server has multiple IP addresses. I am not limiting which IPs can ping, I'm limiting which of the server IPs they can ping to.

Re: proper ICMPv6 syntax for specific daddr

[Reindl Harald]

Am 08.09.22 um 15:31 schrieb Tom:
> On 2022-09-08 04:46, Reindl Harald wrote:
>> why do you make all that so complicated instead write a simple 
>> ratelimit rule for ping apply to everyone and *before* have a set 
>> which ACCEPTs a specific list of ip's if that's needed at all
> 
> OK, sounds good. Perhaps you're under the mistaken impression I'm a NFT 
> expert. Clearly I'm not. Perhaps you could suggest a resource where I 
> might find examples which solve my problem. Better yet, you could 
> provide a practical example. It would be appreciated

in a rulset any rule which is final (DROP, JEJECT, ACCEPT) skips 
anything below

so you have a chain where you send only ICMP, write first the specific 
rules and at last one the "everything else" decision not matter if it's 
ACCEPT/DROP/REJECT

i use iptables-nft because i hate the new syntax and have thousands of 
lines in scripts for configure and dispaly status of rulesets - but the 
principles are the same for every firewall