From ff7bfb2fbfa64a4763294b067c984c4b05244821 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= Date: Fri, 18 Jun 2021 21:41:49 +0000 Subject: space_server: nftables: colo: use dynamic reverse path filter This patch changes the reverse path filtering of the labicolo VLAN to take place in the prerouting hook, using the kernel routing table, and removes the need to maintain a static prefix list. Labicolo routes are exported to the kernel routing table by BIRD, hence it should be sufficient to only have prefix lists there. This change has been tested, and it's only possible to spoof fellow labicolo members address space (same as before). --- roles/space_server/files/nftables.conf | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 30cda74..f29c274 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -47,18 +47,6 @@ define nat64_if = nat64 define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 -define colo_ip4 = 185.38.175.65 -define colo_net4 = { - 185.38.175.64/26, - 44.145.128.0/24, # graffen -} -define colo_net6 = { - 2a01:4262:1ab:20::/64, - 2a01:4262:1ab:1100::/60, # Asbjorn - 2a01:4262:1ab:1110::/60, # Esmil - 2001:678:15c::/48, # graffen - 2a0e:8f02:f034::/48 # Hafnium -} define avahi_ifs = { $wire_if, $priv_if, $pass_if } @@ -139,7 +127,7 @@ table ip filter { iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept iif $pass_if ip saddr $pass_net4 accept iif $nat64_if ip saddr $nat64_net4 accept - iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept + iif $colo_if ip daddr != $int_net4 accept oif $colo_if accept ## debugging @@ -147,6 +135,14 @@ table ip filter { #counter log prefix "fw4: " drop drop } + + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } } table ip6 filter { @@ -211,13 +207,21 @@ table ip6 filter { iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept iif $pass_if ip6 saddr $pass_net6 accept iif $futu_if ip6 saddr $futu_net6 accept - iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept + iif $colo_if ip6 daddr != $ext_net6 accept oif $colo_if accept ## debugging #counter log prefix "fw6: " drop drop } + + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } } table ip nat { -- cgit v1.2.1