[RFE]: nftables action - allow multiple chain hooks #3443
Comments
|
I don't think the chain can have more than 1 hook (must be verified yet), so firstly the idea were:
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
- meta l4proto tcp ip saddr @addr-set-sshd reject with icmp port-unreachable
- meta l4proto tcp ip6 saddr @addr6-set-sshd reject with icmpv6 port-unreachable
+ jump f2b-chain-doing
}
chain f2b-chain-fwd {
type filter hook forward priority filter - 1; policy accept;
- meta l4proto tcp ip saddr @addr-set-f2b-fwd-sshd reject with icmp port-unreachable
- meta l4proto tcp ip6 saddr @addr6-set-f2b-fwd-sshd reject with icmpv6 port-unreachable
+ jump f2b-chain-doing
}
chain f2b-chain-doing {
meta l4proto tcp ip saddr @addr-set-sshd reject with icmp port-unreachable
meta l4proto tcp ip6 saddr @addr6-set-sshd reject with icmpv6 port-unreachable
} |
|
I was thinking the same. My expertise on this is pretty low unfortunately, therefore I made this PR instead of implementing it myself. |
|
Yep, as assumed 2 hooks seem to be impossible, PoC: # nft add table inet f2b-table
# nft -- add chain inet f2b-table f2b-chain \{ type filter hook \{ input,forward \} priority -1 \; \}
Error: syntax error, unexpected '{', expecting string
add chain inet f2b-table f2b-chain { type filter hook { input,forward } priority -1 ; }
^
# nft -- add chain inet f2b-table f2b-chain \{ type filter hook "input,forward" priority -1 \; \}
Error: syntax error, unexpected comma, expecting priority
add chain inet f2b-table f2b-chain { type filter hook input,forward priority -1 ; }
^
# nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
# nft -- add chain inet f2b-table f2b-chain \{ type filter hook forward priority -1 \; \}
Error: Could not process rule: File exists
add chain inet f2b-table f2b-chain { type filter hook forward priority -1 ; }
^^^^^^^^^Neither two hooks can be specified directly as list in single command, nor it allows to specify 2 hooks one after the other. Also with # nft add rule inet f2b-table f2b-chain-fwd goto f2b-chain
Error: Could not process rule: Operation not supported
add rule inet f2b-table f2b-chain-fwd goto f2b-chain
^^^^^^^^^The only way I see at the moment is to use a common set for both chains. |
|
Just to provide a workaround for possibility to share common set for 2 actions (with different hooks): [jail]
banaction = nftables
action = %(action_)s[actname="<name>-inp", chain="f2b-chain", chain_hook="input"]
%(action_)s[actname="<name>-fwd", chain="f2b-chain-fwd", chain_hook="forward", actionban="", actionunban=""](note that both actions get different because the set is still referenced in the rule of 1st chain as 2nd action trying to remove it (after rule removal). As for the RFE, let's retain it open if I (or someone else) would find better approach or begin to work on nft-action enhancements. |
Feature request type
Extend the nftables action to hook to support multiple chains. i.e. 'input' AND 'forward' while using a single address set.
Description
In some cases you might need to block within multiple chains, i.e. if one is using docker containers.
To block any traffic going to the containers, a filter with the
forwardhook is required.Currently this requires creating two actions, which will lead to two address sets being created, which are identical besides their name.
Configuration Proposal:
Considered alternatives
Defining multiple actions:
Unfortunately this will create multiple identical address sets in nftables that have to be updated on each ban/unban.
Marked with
<--- Identical !!!nftables list rulesetAny additional information
The text was updated successfully, but these errors were encountered: