Re: Aw: Re: Problems to get started with nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Michael

El 16/06/14 17:19, pistenflitzer@xxxxxxxxxxxxx escribió:
Dear Álvaro,

thank you for your detailed answers. Some questions still remain, unfortunately.

                   icmp type { echo-request } limit rate 5/second counter accept
                             ^^^^^^^^^^^^^^^^
It's a single element, you don't need to use a set. You can use the rule

I just added the braces to be consistent throughout the ruleset.

Ok, if you want to do that but the kernel creates a set with only one element (in your case). It's overkill.


What I observe when I load these rules is that the accept in the log1 line is
not enough to accept the packets. They are ultimately dropped in the log3
rule. How do I get the packets through both rule chains?

Because you have a table inet and a table ip6. The table ip6 filter
sees the ip6 traffic and the table inet filter sees the ip4 and ip6
traffic. You have defined the priority of the first chain at 0 so
nftables checks the rules there and after nftables checks the rules
inside of the filter chain in inet.

I suggest you to use one singles filter table like inet.

How would the rule look like? I tried to just copy it to the inet section,
but I get "Error: conflicting protocols specified: inet-service vs. icmpv6".

I created the separate ip and ip6 tables only for icmp and icmp, because I
couldn't get past this issue:
$ nft add rule inet filter input icmp type { echo-request } limit rate 5/second counter accept
<cmdline>:1:28-36: Error: conflicting protocols specified: inet-service vs. icmp
$ sudo nft add rule inet filter input icmpv6 type { echo-request } limit rate 5/second counter accept
<cmdline>:1:28-38: Error: conflicting protocols specified: inet-service vs. icmpv6
$ nft add rule ip6 filter input icmpv6 type { echo-request } limit rate 5/second counter accept
<works>

You have found a bug. A temporary solution is use the rules adding meta nfproto, for example:

nft add rule inet filter input meta nfproto ipv4 \
	icmp type echo-request counter accept

nft add rule inet filter input meta nfproto ipv6 \
	icmp6 type echo-request counter accept

I'm working in a fix for that.


#                 udp sport bootps dport bootpc accept

The rules is like that:

nft add rule filter input udp sport bootps udp dport bootpc accept

OK, I overlooked the second udp. Now, it works fine.

And finally: Is there a way to match the destination mac address of an
incoming packet?

You must to add a rule with ether like this:

nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter

In what section would that go? When I just execute the command, I get:
"<cmdline>:1:1-59: Error: Could not process rule: No such file or directory
add rule filter input ether daddr 20:16:d8:a2:59:33 counter"

If you follow this trace:

nft add table filter
nft add chain filter input { type filter hook input priority 0 \; }
nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter

it works for me. Try it and tell me if you have problem. Maybe you have forgot to add the table or the chain?

Regards

Álvaro
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux