NFT snippets/script placement and recommandations

aqwserf · November 23, 2023, 11:09am

Hi everyone!
Trying to move my X number of rules to something more manageable, so I was thinking about moving to IPSet
Unfortunately, we cannot, at least for now, use 2 different IPSet in a single fw4 rule (see here).
The main purpose is to handle some cases like:

Case 1

device1 has access to some ip/port
now device2 should have access to the same ip/port as device1
device1 and device2 might not be in the same vlan/subnet

Case 2

devices need access to the same ip/port on the router (dhcp, dns...)
devices are not in the same vlan/subnet

I ended up with something like this, which works for Case 2:

# cat /etc/config/firewall
...
config ipset
	option name 'all_subnet'
	list entry '192.168.1.0/24' # vlan 1
	list entry '192.168.2.0/24' # vlan 2
	option family 'ipv4'
	list match 'src_net'

config ipset
	option name 'dest_port_client'
	option comment 'open port to the router for client: dns dhcp tftp ntp iperf'
	list entry '53'
	list entry '67'
	list entry '69'
	list entry '123'
	list entry '5201'
	option match 'dest_port'

config include
	option	type		'nftables'
	option	path		'/etc/nftables.includes/test.nft'
	option	position	'chain-post'
	option	chain		'input'
...

# cat /etc/nftables.includes/test.nft
meta nfproto ipv4 tcp dport @dest_port_client ip saddr @all_subnet counter packets 0 bytes 0 accept comment "test"

But but some questions arose:

Is it possible to call some IPSet from another IPSet? Like

	set src_ip_device1 {
		type ipv4_addr
		elements = { xxx }
	}

	set src_ip_device2 {
		type ipv4_addr
		elements = { xxx }
	}

	set src_ip_device1_and_2 {
		type ipv4_addr
		elements = { src_ip_device1, src_ip_device2 } # or something like this
	}

What about security? As, in my example for Case 2, it goes after everything else (especially jump):

	chain input { # handle 1
                ...
		iifname { "eth0", "eth1" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" # handle 396
		iifname "br-test" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" # handle 397
		tcp dport @dest_port_client ip saddr @all_subnet counter packets 0 bytes 0 accept comment "test" # handle 398
	}

Same for Case 1 but in the forward table. Should I add these more generic types of rules in ruleset-pre/post, chain-pre/post... ? And what if keep rules from fw4 itself (config rule...)?

Thanks!

_bernd · November 23, 2023, 11:24am

Be aware that the UCI name ipset is not the same as the original ipset and UCI translates these to nftables sets. How ever, sets can be nested too as it was the case with the original ipset, see https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets
But I have not tested how the UCI syntax should look like.

aqwserf · November 23, 2023, 1:02pm

Thanks @_bernd , define was exactly what I was looking for But what about set vs define?
And yes, I was aware of the translation.

IMHO, it would be nice to have this kind of feature inside UCI.

Then remains the question about the order...

aqwserf · November 29, 2023, 11:01pm

I finally managed to find a way that, in my sense, is pretty secure: moving all "specific" (VLAN1 -> VLAN2, etc...) from "jumping_to_xxx" to the end of the forward rule.
I'm quite happy with that and it's more manageable.

system · December 9, 2023, 11:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.