Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nftables with vlans rules fails during boot (solved)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Thu Mar 24, 2016 10:04 pm    Post subject: nftables with vlans rules fails during boot (solved) Reply with quote

I would like to use nftables instead of iptables/ip6tables

But /etc/init.d/nftables during boot, "before net", fails in setting vlan rules because the vlan interfaces do not yet exist, the error is like this:

Code:
nft add rule ip FILTER INPUT ip saddr 10.10.10.10 iif enp0s29f7u4.514 drop
<cmdline>:1:51-65: Error: Interface does not exist
add rule ip FILTER INPUT ip saddr 10.10.10.10 iif enp0s29f7u4.514 drop
                                                  ^^^^^^^^^^^^^^^


Obviously this doesn't happen with iptables/ip6tables.
Where am I doing wrong?


Last edited by Tender on Fri Mar 25, 2016 10:11 am; edited 2 times in total
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Fri Mar 25, 2016 8:15 am    Post subject: Reply with quote

Software involved:

Code:
Linux lowpower4 4.1.15-gentoo-r1 #1 SMP Sat Jan 23 09:42:19 CET 2016 x86_64 Intel(R) Atom(TM) CPU D525 @ 1.80GHz GenuineIntel GNU/Linux

[I] net-firewall/nftables
     Available versions:  (~)0.5-r2 {debug gmp +readline}
     Installed versions:  0.5-r2(09:37:40 AM 11/04/2015)(gmp readline -debug)
     Homepage:            http://netfilter.org/projects/nftables/
     Description:         Linux kernel (3.13+) firewall, NAT and packet mangling tools
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Fri Mar 25, 2016 10:08 am    Post subject: Reply with quote

I help myself : using iifname/oifname instead of iif/oif as clearly explained here https://home.regit.org/netfilter-en/nftables-quick-howto/:

Quote:
Filter on interface
To accept all packets going out on loopback interface:

nft insert rule filter output oif lo accept

And for packet coming in on eth2:

nft insert rule filter input iif eth2 accept

Please note that oif is in reality a match on the integer which is the index of the interface inside of the kernel. Userspace is converting the given name to the interface index when the nft rule is evaluated (before being sent to kernel). A consequence of this is that the rule can not be added if the interface does not exist. An other consequence, is that if the interface is removed and created again, the match will not occur as the index of added interfaces in kernel is monotonically increasing. Thus, oif is a fast filter but it can lead to some issues when dynamic interfaces are used. It is possible to do a filter on interface name but it has a performance cost because a string match is done instead of an integer match.To do a filter on interface name, one has to use oifname:

nft insert rule filter input oifname ppp0 accept


I think it's worth explaining this circumstance on the gentoo's wiki site integrating the document https://wiki.gentoo.org/wiki/Nftable
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum