With the move to nftables for fw4, I'm returning to trying to use UCI / LuCI for firewall management.
A couple things that I'm used to doing with either hand-crafted nftables rules or other systems I didn't immediately see a good way to manage.
If there are some helpful suggestions for these, I'd appreciate it.
Defined lists of IP ranges
For example, IPv4 "bogon" lists are around a dozen IP ranges. In a file-based approach, I'd define and use a set, such as
set blackhole_ipv4 {
type ipv4_addr
flags interval
elements = {
0.0.0.0/8, # "default"
10.0.0.0/8, # RFC 1918
100.64.0.0/10, # bogon-bn-agg.txt 2017-08-17
127.0.0.0/8, # loopback
169.254.0.0/16, # Self-configured DHCP
172.16.0.0/12, # RFC 1918
192.0.0.0/24, # Vendor co-opted print servers
192.0.2.0/24, # NET TEST
192.168.0.0/16, # RFC 1918
# 192.18.0.0/15, # RFC 2455 (NOT IANA; for Harvard,for BMWG)
# should be
198.18.0.0/15 # RFC 2544: Benchmarking
192.42.172.0/24, # NeXT-Default:
192.88.99.0/24, # RFC 3068
198.51.100.1/24, # bogon-bn-agg.txt 2017-08-17
203.0.113.0/24, # bogon-bn-agg.txt 2017-08-17
224.0.0.0/3, # bogon-bn-agg.txt 2017-08-17
}
}
ip daddr @blackhole_ipv4 \
[...]
Is there UCI support for this, short of repeating the list everywhere it is used?
Verify reverse route
A common feature of other OSes is the ability to check an incoming packet's IP address against the routing tables and determine if source address on the packet either or both arrived on the interface that a return packet would exit on, or that the source address is at least reachable through that interface.