netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jacek Tomasiak <jtomasiak@arista.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Matching on protocols inside IPv6 IPSec AH (legacy vs nft)
Date: Fri, 7 Jul 2023 09:28:45 +0200	[thread overview]
Message-ID: <ZKe+rYq5aeEThuRN@calendula> (raw)
In-Reply-To: <CAPEBPyMWBzsROxN5Em7dGCpG2TXncC+Gu_1BD81vV2HysLo2Ow@mail.gmail.com>

On Mon, Jun 26, 2023 at 02:06:47PM +0200, Jacek Tomasiak wrote:
> > > My main concern is that in the nft version the AH rule matches one of the ICMP
> > > packets even though the ICMP rule is higher up on the list.
> > >
> > > I tried to debug this and it seems to be related to this change:
> > > https://github.com/torvalds/linux/commit/568af6de058cb2b0c5b98d98ffcf37cdc6bc38a7
> > > IIUC, this "stop ipv6_find_hdr on AH" is not a regression but intended behavior.
> > >
> > > Now the question: is there some way to define rules which will match
> > > the same way
> > > as it works in iptables-legacy? That is, look at the inner protocol
> > > and not stop on AH?
> >
> > IIRC behaviour between iptables-legacy and ip6tables-legacy with
> > regards to AH is inconsistent, because ip6tables-legacy -p matches on
> > the inner header encapsulated by AH, but iptables-legacy matches on AH
> > with -p.
> 
> OK, I understand that this was an inconsistency and it was fixed with
> above change
> in the kernel but does this mean that there is currently no way to
> check the inner
> protocol? Or maybe there is some other match or extension which could be used
> to get the "old iptables style" behaviour?

There is the nft_inner infrastructure that allows to match at the
inner protocol after AH.

      reply	other threads:[~2023-07-07  7:28 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-22 13:25 Matching on protocols inside IPv6 IPSec AH (legacy vs nft) Jacek Tomasiak
2023-06-22 22:00 ` Pablo Neira Ayuso
2023-06-26 12:06   ` Jacek Tomasiak
2023-07-07  7:28     ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZKe+rYq5aeEThuRN@calendula \
    --to=pablo@netfilter.org \
    --cc=jtomasiak@arista.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).