Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Stephen Satchell <list@satchell.net>
To: Linux Netfilter Users List <netfilter@vger.kernel.org>
Subject: FIB filtering (comments, please)
Date: Thu, 21 May 2020 13:10:59 -0700	[thread overview]
Message-ID: <fbd4e0bf-9e17-a54a-e084-bfbbd161c029@satchell.net> (raw)

I'm taking a stab at answering my own question about using the FIB to 
filter unwanted packets, as suggested by BCP-38.

Assumption: the FIB (routing table) has entries for all inside networks 
with proper gateway entries.  For many edge routers, the FIB gains 
information from the network interfaces configurations.  One of those 
network interfaces is the WAN, or uplink, interface.

Assumption: Non-routed netblocks are in the FIB as "black hole". Ditto 
netblocks that are administratively blocked.

Section 3 of BCP-38 talks about restricting forged traffic.

* edge router MUST NOT send any packet with a source address
   not in the router itself or in the inside network.
* edge router MUST NOT send broadcast packets upstream
* edge router MAY drop received upstream broadcast packet

So my attempt at blocking bad traffic looks something like this:

> define wan0 = enp1s0
> table inet filter {
>     chain wan_prerouting {
>         fib saddr . mark oif $wan0       counter drop # no in-n-out
>         fib daddr . iif type broadcast   counter drop # no non-unicast
>         fib daddr . iif type anycast     counter drop 
>         fib daddr . iif type multicast   counter drop 
>         fib daddr . iif type blackhole   counter drop 
>         fib daddr . iif type unreachable counter drop 
>         fib daddr . iif type prohibit    counter drop 
>         }
> 
>     chain wan_output {
>         fib saddr . iif type broadcast   counter drop # no non-unicast
>        #fib saddr . iif type anycast     counter drop (unicast)
>         fib saddr . iif type multicast   counter drop 
>         fib saddr . iif type blackhole   counter drop 
>         fib saddr . iif type unreachable counter drop 
>         fib saddr . iif type prohibit    counter drop
>         }
> 
>     chain prerouting {
>         type filter hook prerouting priority 0; policy accept;
> 
>         iifname $wan0 jump wan_prerouting
>         }
> 
>     chain output {
>         type filter hook output priority 0; policy accept;
> 
>         iifname $wan0 jump wan_output
>         }

For those edge routers with full BGP tables, this netfilter code should 
block packets from being sent to subnet broadcast addresses.

                 reply	other threads:[~2020-05-21 20:10 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fbd4e0bf-9e17-a54a-e084-bfbbd161c029@satchell.net \
    --to=list@satchell.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox