Add support for nftables meta expression “pkttype” for firewall rules
Requested on forum: https://forum.vyos.io/t/feature-request-meta-expression-pkttype-support-for-firewall-rules/10558
NFT Reference: https://wiki.nftables.org/wiki-nftables/index.php/Data_types#Other_types
@n.fort I apologize for the late entry here - could this also be exposed for NAT rules?
Edit: wow you guys worked so fast on this it got pulled before I could add this request :D
@n.fort @Viacheslav
Here is an example of what I am after for DNAT rule, specifically, using meta pkttype:
nft add rule inet firewall dstnat_chain meta pkttype host tcp dport 80 ip daddr != @rfc1918 counter dnat to 192.168.0.10
and how it looks in nft list ruleset output:
chain dstnat_chain {
meta pkttype host tcp dport 80 ip daddr != @rfc1918 counter packets 0 bytes 0 dnat ip to 192.168.0.10
}@n.fort A quick test of this against latest rolling looks like it's working as expected for general firewall rules:
Version:
vyos@vyos:~$ sh version Version: VyOS 1.4-rolling-202303120743 Release train: current Built by: [email protected] Built on: Sun 12 Mar 2023 07:43 UTC Build UUID: f0413059-7c5d-4744-a466-367e167102a2 Build commit ID: fdc0441a77f010
Operational firewall view:
vyos@vyos:~$ show firewall name OUTSIDE-LOCAL rule 31
Rule Information
---------------------------------
IPv4 Firewall "OUTSIDE-LOCAL"
Rule Action Protocol Packets Bytes Conditions
------ -------- ---------- --------- ------- -------------------------------------------
31 accept tcp 1 52 ct state new tcp dport 22 meta pkttype host
vyos@vyos:~$Configuration firewall view:
vyos@vyos# show firewall name OUTSIDE-LOCAL rule 31
action accept
description "Allow SSH"
destination {
port 22
}
packet-type host
protocol tcp
state {
new enable
}
[edit]NFT ruleset view:
vyos@vyos:~$ sudo nft list ruleset | grep pkttype
ct state new tcp dport 22 meta pkttype host counter packets 1 bytes 52 return comment "OUTSIDE-LOCAL-31"
vyos@vyos:~$When I adjust the above rule 31 to type "other", it prevents SSH to the local host, as expected!
Only remaining issue for me is that I cannot use it for nat rules. Can the meta pkttype functionality also be enabled for nat rules? (valid example per T5055#144579)
Missing NAT functionality:
vyos@vyos# set nat destination rule 100 packet-type Configuration path: nat destination rule 100 [packet-type] is not valid [edit]
Thank you again for implementing this!
@n.fort I was too impatient to wait for a rolling build so I ran my own build of current post-merge.
Happy to report that my initial tests show this is working exactly how I hoped it would! Thank you again for the super fast implementation of this feature.
@n.fort
My judgement may have been too hasty. The commands are accepted by VyOS configure, but it looks like the meta pkttype host is being ignored by my new nftables rules. That is, all IP addresses are matching, not just actual VyOS host router IP addresses.
After a bit more digging, it looks like I might need some NFT_META modules enabled or statically configured ("CONFIG_NFT_META" and/or "CONFIG_NFT_BRIDGE_META") in the kernel.
External references here:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/netfilter/nft_meta.c?h=v6.1.19
https://www.kernelconfig.io/config_nft_meta?q=&kernelversion=6.1.20&arch=x86
Can you please take a look and see if this is what's needed? Thank you again for all your work on this.
I have certain doubts about it.
Netfilter documentation is not always perfect, and many times you may find out some different options.
I think that pkttype matcher actually is able to match three types of traffic:
Docs:
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta
Also, from iptables doc (I know this is nftables, but most probably this is the same):
pkttype This module matches the link-layer packet type. --pkt-type [unicast|broadcast|multicast]
@n.fort In that case then this functionality does seem to be working as designed, even if the pkttype matcher isn't behaving exactly as I expected it to for "host".