aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAsbjørn Sloth Tønnesen <asbjorn@labitat.dk>2021-06-18 21:41:49 +0000
committerEmil Renner Berthing <esmil@labitat.dk>2021-06-19 11:08:04 +0200
commit23a84a3cfeac299ef34e422cdcd9ea3499376a90 (patch)
tree7c1fee6d3af84e36b27699e814ace5471334fbf3
parentf72c04ecb33b1319b611da9df8296c597092c376 (diff)
downloadlabitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.gz
labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.xz
labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.zip
space_server: nftables: colo: use dynamic reverse path filter
This patch changes the reverse path filtering of the labicolo VLAN to take place in the prerouting hook, using the kernel routing table, and removes the need to maintain a static prefix list. Labicolo routes are exported to the kernel routing table by BIRD, hence it should be sufficient to only have prefix lists there. This change has been tested, and it's only possible to spoof fellow labicolo members address space (same as before). Esmil: prerouting before input/forward makes more sense to me
-rw-r--r--roles/space_server/files/nftables.conf32
1 files changed, 18 insertions, 14 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 30cda74..4930f2e 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -47,22 +47,18 @@ define nat64_if = nat64
define nat64_net4 = 10.42.128.0/17
define colo_if = lan20
-define colo_ip4 = 185.38.175.65
-define colo_net4 = {
- 185.38.175.64/26,
- 44.145.128.0/24, # graffen
-}
-define colo_net6 = {
- 2a01:4262:1ab:20::/64,
- 2a01:4262:1ab:1100::/60, # Asbjorn
- 2a01:4262:1ab:1110::/60, # Esmil
- 2001:678:15c::/48, # graffen
- 2a0e:8f02:f034::/48 # Hafnium
-}
define avahi_ifs = { $wire_if, $priv_if, $pass_if }
table ip filter {
+ chain prerouting {
+ type filter hook prerouting priority 0;
+
+ # colo reverse path filtering
+ # find route to saddr on iif, get oif, drop if route is missing
+ iif $colo_if fib saddr . iif oif missing drop;
+ }
+
chain input {
type filter hook input priority 0;
@@ -139,7 +135,7 @@ table ip filter {
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
iif $nat64_if ip saddr $nat64_net4 accept
- iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
+ iif $colo_if ip daddr != $int_net4 accept
oif $colo_if accept
## debugging
@@ -150,6 +146,14 @@ table ip filter {
}
table ip6 filter {
+ chain prerouting {
+ type filter hook prerouting priority 0;
+
+ # colo reverse path filtering
+ # find route to saddr on iif, get oif, drop if route is missing
+ iif $colo_if fib saddr . iif oif missing drop;
+ }
+
chain input {
type filter hook input priority 0;
@@ -211,7 +215,7 @@ table ip6 filter {
iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
iif $futu_if ip6 saddr $futu_net6 accept
- iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
+ iif $colo_if ip6 daddr != $ext_net6 accept
oif $colo_if accept
## debugging