0

Is it possible to query interface address using nftables? For example,

ip daddr = ifname_addr "eth0" counter accept

Consider a system that has 4 interfaces: eth0 eth1 eth2 eth3. It is desirable to isolate eth0 from eth3, but not from eth1 eth2. To implement it, traffic coming from eth0 needs to be rejected in case its destination address belongs to eth3. For example,

iifname "eth0" ip daddr eth3.ip.4.address counter reject

This implies that the address of eth3 is known in advance, but this might not be the case. Does nftables provide any tools to deal with this kind of situation?

EDIT

There was a confusion due to my uneducated phrasing of the question. Consider a system with 3 interfaces.

eth0 172.0.0.1/24
eth1 172.0.1.1/24
eth2 172.0.2.1/24

Consider a machine named X that is connected to eth0 together with you. If X uses you as a gateway to reach e.g. 172.0.1.10, then the traffic flows through the forwarding chain in netfilter. This traffic is easily filtered using the forward hook in nftables.

On the other hand, if X tries to reach 172.0.1.1, the traffic will be processed by the input chain in netfilter. Due to Linux using the weak host model, the traffic will not even touch the eth1 interface, i.e. it will arrive on eth0 and leave through eth0 despite formally accessing IP address that is assigned to eth1.

Consider that you want to prevent X from accessing the address assigned to eth2, but do not mind it accessing the address assigned to eth1. It can be done using the following rule in the input hook

iifname "eth0" ip daddr 172.0.2.1 counter reject

I was wondering if the same could be done without knowing the assigned address of eth2 in advance.

Improve this question
16
  • this is really confused (more than confusing, though it's also confusing): Why do your packets from these interfaces get routed to the other interfaces? The moment you don't add these entries to your routing table, which is typically a manual process (unless you're administrating e.g. a BGP router, in which case you wouldn't ask these questions). So, the thing that needs to change to isolate the interfaces is simply you not telling your computer to route packets between them. Commented Jun 1 at 18:55
  • I do not understand you. Why shouldn't they get routed? The routes are created automatically when I run ip addr add. Is there an ip rule to prevent traffic going between interfaces? Commented Jun 1 at 19:24
  • no, routes to route packets from one device to another are not automatically created when you ip addr add. Commented Jun 1 at 20:07
  • ...they kind of are, though. Adding an address adds a subnet route, for the host itself to use. Although it seems that OP wants to prevent connections to the host's own address, either way. Commented Jun 1 at 20:10
  • @grawity has grasped it well. For example, assume only two interfaces: eth0 and eth1. You manually assign them addressed 172.0.0.1/24 and 172.0.1.1/24 respectively. Automatically, the system will create subnet routes 172.0.0.0/24 dev eth0 src 172.0.0.1 and 172.0.1.0/24 dev eth1 src 172.0.1.1 respectively. Suppose a computer sends you a packet using 172.0.0.1 as the gateway with destination address 172.0.1.1 through eth0. Since the route to 172.0.1.1 exists, the packet will be delivered without issues. Commented Jun 1 at 20:35

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.