The global chain contains INPUT specific rules #9
Comments
|
BTW, the default ICMP configuration is somehow broken with echo request allowed both in and out but no echo reply allowed in either direction. So ping does not work (in either direction). One more reason to move the ICMP rules away from the |
|
yeah sounds good to me |
|
I'd suggest to have the ICMPv4/v6 packet types allowed for each chain as parameters of with perhaps default lists of ICMPv4/ICMPv6 packets to allow in each direction or simply a default that accepts all ICMP traffic. Then use these parameters to add individual rules in If I understand the proposal correctly the global chain will be reduced to just: as @LionelCons Perhaps if @duritong and @keachi like the proposal you could produce a proposal for the default values of
|
Not really because in So, remove global? |
|
or just keep it empty. |
|
It could indeed be handy to have a common chain shared by all the master chains (BTW, should it be called But this common chain should be empty by default. The ICMP rules should end up in separate files and the connection tracking should be added to the For maximum flexibility, it should be possible to get a configuration with no rules at all by changing a few variables. |
|
I can confirm that the conntrack rules moved out of the As for the default ICMP rules, this is really a matter of taste. I am in favour of a very limited set of rules but others prefer to allow everything, only limiting the rate. See for instance https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server. |
|
@LionelCons could you please share with us your preferred defaults for ICMP4/6 in/out traffic so we can use them as a base to start discussing? |
|
Here is what I allow for the incoming traffic:
This mainly allows I do not filter the outgoing traffic. |
|
The main question is: what do we want in the API?
An incoming |
|
Ok, thanks. I'll check the RHEL8 defaults (as suggested by @Feandil) and come back with a proposal in code. |
|
If I'm not reading it wrong, the RHEL8 default (checked on a 8.2 image) is:
RHEL8.2 rules: http://cern.ch/stikked/view/70c7ee72 |
|
There's a proposal in code available. |
|
@LionelCons For info the proposed patch allows setting your configuration by doing: nftables::rules::icmp::v4_types:
- "echo-request limit rate 4/second"
- "echo-reply"
- "time-exceeded"
- "destination-unreachable"
nftables::rules::icmp::v6_types:
- "echo-request limit rate 4/second"
- "echo-reply"
- "time-exceeded"
- "destination-unreachable"
- "nd-neighbor-advert"
- "nd-neighbor-solicit"
- "nd-router-advert"leading to this ruleset: |
|
Very good! Note that it seems that one could also write: I don't know if this is intended but this allows a more compact set of rules... |
|
I really appreciate this idea of exposing the icmp types to class parameters. |
|
Great, thanks :) I'll remove the draft flag once #15 is merged (need that patch to run the test suite). |
The current
globalchain is documented as "something we want for all" and it is used in the 3 master chains (INPUT,OUTPUTandFORWARD).However, it contains rules that are specific to the
INPUTchain, for instance:It does not really make sense to rate limit the echo request in the
OUTPUTorFORWARDchain. So this rule is more for theINPUTchain.IMHO, only the rules which are always valid for all the master chains should end up in the
globalchain. And I wonder whether state tracking (ct state established,related accept) makes sense in theFORWARDchain...In any case, ICMP handling (both as input and as output) should IMHO be moved into specific rules like we have for most protocols.
The text was updated successfully, but these errors were encountered: