弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

ebtablesをnftablesに移行…

ebtablesで特定のMACアドレスでマークを付けてiptablesフィルターする連携を評価ちう

わが家ではMACアドレスを使ったフィルタリングを使っていたのだけど、どうやらebtablesとiptablesの連携はできなくなっていたようであるw (気付くの遅w

移行用にiptables-nftを導入する…

# dnf install iptables-nft

2020-02-02T11:51:35Z SUBDEBUG Installed: iptables-nft-1.8.3-7.fc31.x86_64

# rpm -ql iptables-nft
…
/usr/sbin/ebtables
/usr/sbin/ebtables-nft
/usr/sbin/ebtables-nft-restore
/usr/sbin/ebtables-nft-save
/usr/sbin/ebtables-restore
/usr/sbin/ebtables-save
…
/usr/sbin/iptables
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-save
/usr/sbin/iptables-translate
…
iptables-restore-translateはあるけど、ebtable-translateはないw

bugs.debian.org→Debian Bug report logs - #918551 ebtables-nft does not know -t broute

spinics.net→Re: nftables equivalent for ebtables BROUTING trick?

Right, this isn't implemented at the moment,this facility is very much bridge specific.

strlen.de→Bridge filtering with nftables Florian Westphal Red Hat fw@strlen.de (PDF)

NF_BR_BROUTING not a hook – used by the magic ebtables “broute” table which can be used to have packets enter the local stack without even hitting the main bridge code.
ebtablesのBROUTE表はフックではないのでnftablesに移行できないw

wiki.nftables.org→Setting packet metainformation

nft add rule filter forward meta mark set 1

ip daddr 127.0.0.1 みたいに ether daddr 00:11:22:33:44:55 とか指定できるはずなのでnftにはbrouteは不要?

knowledge.sakura.ad.jp→Linuxにおける新たなパケットフィルタリングツール「nftables」入門

やっぱingressフックでnetdevでマークするのかすら?w

kernel.org→Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso(PDF)

# nft add rule netdev filter ingress meta mark set 0xdead \
 fib daddr . mark type vmap { \
 blackhole : drop, \
 prohibit : jump prohibited, \
 unreachable : drop }

nft add table netdev broute_enx9s9
nft add chain netdev broute_enx9s9 chain_enx9s9 { type filter hook ingress device enx9s9 priority 0 \; }
シェルスクリプトにするときに ; を \; にエスケープする必要w
table netdev broute_enx9s9 {
	chain chain_enx9s9 {
		type filter hook ingress device "enx9s9" priority filter; policy accept;
	}
}

# nft add rule chain_enx9s9meta mark set 0x313
Error: syntax error, unexpected meta, expecting string
add rule chain_enx9s9 meta mark set 0x313
                      ^^^^
#

ebtablesではMACアドレスで印を付けてるだけなので、translateする程ではないのかも、

いまではブリッジ型F/Wでもないのでbridgeは使わないけど、ebtables-nftで設定してnft list rulesetで定義を抽出できるw

table bridge filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		ether type ip counter packets 0 bytes 0 accept
		ether type ip6 counter packets 0 bytes 0 drop
		ether type arp counter packets 0 bytes 0 accept
		ether type 0x0000 counter packets 0 bytes 0 accept
		log prefix "EBFW_INPUT" flags ether  counter packets 0 bytes 0 drop
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		ether type ip counter packets 0 bytes 0 accept
		ether type ip6 counter packets 0 bytes 0 drop
		ether type arp counter packets 0 bytes 0 accept
		ether type 0x0000 counter packets 0 bytes 0 accept
		log prefix "EBFW_FORWARD" flags ether  counter packets 0 bytes 0 drop
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		ether type ip counter packets 0 bytes 0 accept
		ether type ip6 counter packets 0 bytes 0 drop
		ether type arp counter packets 0 bytes 0 accept
		ether type 0x0000 counter packets 0 bytes 0 accept
		log prefix "EBFW_OUTPUT" flags ether  counter packets 0 bytes 0 drop
	}
}
#!/bin/sh

nft flush ruleset

nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0\; policy accept\; }
nft add chain ip filter FORWARD { type filter hook forward priority 0\; policy accept\; }
nft add chain ip filter BROUTE

nft add rule ip filter INPUT counter jump BROUTE
nft add rule ip filter FORWARD counter jump BROUTE

nft add rule ip filter FORWARD mark and 0xffff == 0x666 counter accept
nft add rule ip filter INPUT mark and 0xffff == 0x666 counter accept

nft add rule ip filter BROUTE meta mark set 0x333
nft add rule ip filter BROUTE ether saddr 11:22:33:44:55:66 meta mark set 0x666
# nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		counter packets 233 bytes 594704 jump BROUTE
		meta mark & 0x0000ffff == 0x00000666 counter packets 233 bytes 594704 accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump BROUTE
		meta mark & 0x0000ffff == 0x00000666 counter packets 0 bytes 0 accept
	}

	chain BROUTE {
		meta mark set 0x00000333
		ether saddr 11:22:33:44:55:66 meta mark set 0x00000666
	}
}

過去にiptablesで

-A INPUT -m mark --mark 0x666/0xffff -j ACCEPT
と書いてたので /usr/sbin/iptables-restore-translate が
meta mark & 0x0000ffff == 0x00000666 counter packets 233 bytes 594704 accept
に翻訳(translate)したみたいw

I/Fを指定するのならこんな…

ether saddr 11:22:33:44:55:66 meta mark set 0x00000666 iif "enx9s9"

投稿されたコメント:

コメント
コメントは無効になっています。