Inicio Explorar Axuda
Rexistro Iniciar sesión
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Ficheiros Incidencias 0 Pull Requests 0
Explorar o código

nftables: Move uRPF checks into seperate chain

  Previously uRPF checks where directly defined within the forward chain.
  In an effort to also to proper uRPF the rules are moved into a seperate
  chain which will included can the input chain, too.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm %!s(int64=2) %!d(string=hai) anos
pai
a4dcdec312
achega
996e84a89c
Modificáronse 1 ficheiros con 20 adicións e 22 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 20 22
      nftables/nftables.conf.tmpl

+ 20 - 22
nftables/nftables.conf.tmpl
Ver ficheiro 

@@ -57,22 +57,12 @@ table ip filter {
 
 
 	chain forward {
 
 		type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
 
+		jump urpf
 
 {#- custom rules #}
 
 {%- for rule in forward['rules'].get ('4', []) %}
 
 		{{ rule }}
 
 {%- endfor %}
 
 
-{#- uRPF #}
 
-{%- for iface_cfg in urpf  %}
 
-  {%- if loop.first %}
 
-		# uRPF
 
-  {%- endif %}
 
-  {%- for pfx in iface_cfg[4] %}
 
-		iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} accept
 
-  {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
-{%- endfor %}
 
-
 
 {%- if forward['policy'] == 'drop' %}
 
 		limit rate 1/second burst 3 packets counter log prefix "nf forward: "
 
 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
 
@@ -123,6 +113,15 @@ table ip filter {
 
 {%- endfor %}
 
 	}
 
 
+	chain urpf {
 
+{%- for iface_cfg in urpf  %}
 
+  {%- for pfx in iface_cfg[4] %}
 
+		iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
 
+  {%- endfor %}
 
+		iif {{ iface_cfg['iface'] }} counter drop
 
+{%- endfor %}
 
+	}
 
+
 
 	chain vxlan {
 
 {%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
 
 		iif {{ iface }} accept
 
@@ -175,22 +174,12 @@ table ip6 filter {
 
 
 	chain forward {
 
 		type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
 
+		jump urpf
 
 {#- custom rules #}
 
 {%- for rule in forward['rules'].get ('6', []) %}
 
 		{{ rule }}
 
 {%- endfor %}
 
 
-{#- uRPF #}
 
-{%- for iface_cfg in urpf  %}
 
-  {%- if loop.first %}
 
-		# uRPF
 
-  {%- endif %}
 
-  {%- for pfx in iface_cfg[6] %}
 
-		iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} accept
 
-  {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
-{%- endfor %}
 
-
 
 {%- if forward['policy'] == 'drop' %}
 
 		limit rate 1/second burst 3 packets counter log prefix "nf forward: "
 
 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
 
@@ -243,6 +232,15 @@ table ip6 filter {
 
 {%- endif %}
 
 	}
 
 
+	chain urpf {
 
+{%- for iface_cfg in urpf  %}
 
+  {%- for pfx in iface_cfg[6] %}
 
+		iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
 
+  {%- endfor %}
 
+		iif {{ iface_cfg['iface'] }} counter drop
 
+{%- endfor %}
 
+	}
 
+
 
 	chain vxlan {
 
 {%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
 
 		iif {{ iface }} accept