diff options
| author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 21:41:49 +0000 |
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2021-06-19 11:08:04 +0200 |
| commit | 23a84a3cfeac299ef34e422cdcd9ea3499376a90 (patch) | |
| tree | 7c1fee6d3af84e36b27699e814ace5471334fbf3 | |
| parent | f72c04ecb33b1319b611da9df8296c597092c376 (diff) | |
| download | labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.gz labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.xz labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.zip | |
space_server: nftables: colo: use dynamic reverse path filter
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.
Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.
This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
Esmil: prerouting before input/forward makes more sense to me
| -rw-r--r-- | roles/space_server/files/nftables.conf | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 30cda74..4930f2e 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -47,22 +47,18 @@ define nat64_if = nat64 define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 -define colo_ip4 = 185.38.175.65 -define colo_net4 = { - 185.38.175.64/26, - 44.145.128.0/24, # graffen -} -define colo_net6 = { - 2a01:4262:1ab:20::/64, - 2a01:4262:1ab:1100::/60, # Asbjorn - 2a01:4262:1ab:1110::/60, # Esmil - 2001:678:15c::/48, # graffen - 2a0e:8f02:f034::/48 # Hafnium -} define avahi_ifs = { $wire_if, $priv_if, $pass_if } table ip filter { + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } + chain input { type filter hook input priority 0; @@ -139,7 +135,7 @@ table ip filter { iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept iif $pass_if ip saddr $pass_net4 accept iif $nat64_if ip saddr $nat64_net4 accept - iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept + iif $colo_if ip daddr != $int_net4 accept oif $colo_if accept ## debugging @@ -150,6 +146,14 @@ table ip filter { } table ip6 filter { + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } + chain input { type filter hook input priority 0; @@ -211,7 +215,7 @@ table ip6 filter { iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept iif $pass_if ip6 saddr $pass_net6 accept iif $futu_if ip6 saddr $futu_net6 accept - iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept + iif $colo_if ip6 daddr != $ext_net6 accept oif $colo_if accept ## debugging |