Defined <varname>source type</varname> values

From: Yu Watanabe Date: Fri, 1 Sep 2023 11:13:39 +0000 (+0900) Subject: Merge pull request #24570 from topimiettinen/nft-sets-v2 X-Git-Tag: v255-rc1~612 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d4c874d3cd25fe92e0e6169c49cac1e0f95ce9f;p=thirdparty%2Fsystemd.git Merge pull request #24570 from topimiettinen/nft-sets-v2 network: firewall integration with NFT sets --- 1d4c874d3cd25fe92e0e6169c49cac1e0f95ce9f diff --cc man/systemd.network.xml index 8456eb71b68,8d0306771e8..9a44db6d308 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@@ -1320,10 -1198,88 +1320,90 @@@ allow my_server_t localnet_peer_t:peer to only allow my_server_t (and nothing else) to receive data from local subnet 10.0.0.0/8 of interface eth0. + + + + + NFTSet=source:family:table:set + + This setting provides a method for integrating network configuration into firewall rules with + NFT sets. The benefit of + using the setting is that static network configuration (or dynamically obtained network addresses, + see similar directives in other sections) can be used in firewall rules with the indirection of NFT + set types. For example, access could be granted for hosts in the local subnetwork only. Firewall + rules using IP address of an interface are also instantly updated when the network configuration + changes, for example via DHCP. + + This option expects a whitespace separated list of NFT set definitions. Each definition + consists of a colon-separated tuple of source type (one of address, + prefix or ifindex), NFT address family (one of + arp, bridge, inet, ip, + ip6, or netdev), table name and set name. The names of tables + and sets must conform to lexical restrictions of NFT table names. The type of the element used in + the NFT filter must match the type implied by the directive (address, + prefix or ifindex) and address type (IPv4 or IPv6) as shown + in the table below. + + + Defined <varname>source type</varname> values + + + + + + + Source type + Description + Corresponding NFT type name + + + + + + address + host IP address + ipv4_addr or ipv6_addr + + + prefix + network prefix + ipv4_addr or ipv6_addr, with flags interval + + + ifindex + interface index + iface_index + + + +

+ + When an interface is configured with IP addresses, the addresses, subnetwork masks or + interface index will be appended to the NFT sets. The information will be removed when the + interface is deconfigured. systemd-networkd only inserts elements to (or removes + from) the sets, so the related NFT rules, tables and sets must be prepared elsewhere in + advance. Failures to manage the sets will be ignored. + + Example: + [Address] + NFTSet=prefix:netdev:filter:eth_ipv4_prefix + Corresponding NFT rules: + table netdev filter { + set eth_ipv4_prefix { + type ipv4_addr + flags interval + } + chain eth_ingress { + type filter hook ingress device "eth0" priority filter; policy drop; + ip daddr != @eth_ipv4_prefix drop + accept + } + } + + + @@@ -2493,10 -2292,19 +2573,21 @@@ This applies the NetLabel for the addresses received with DHCP, like NetLabel= in [Address] section applies it to statically configured addresses. See NetLabel= in [Address] section for more details. + + + + + NFTSet= + + This applies the NFT set for the network configuration received with DHCP, like + NFTSet= in [Address] section applies it to static configuration. See + NFTSet= in [Address] section for more details. For address or + prefix source types, the type of the element used in the NFT filter must be + ipv4_addr. + + @@@ -2763,10 -2560,19 +2865,21 @@@ This applies the NetLabel for the addresses received with DHCP, like NetLabel= in [Address] section applies it to statically configured addresses. See NetLabel= in [Address] section for more details. + + + + + NFTSet= + + This applies the NFT set for the network configuration received with DHCP, like + NFTSet= in [Address] section applies it to static configuration. See + NFTSet= in [Address] section for more details. For address or + prefix source types, the type of the element used in the NFT filter must be + ipv6_addr. + + @@@ -3115,10 -2869,19 +3228,21 @@@ Token=prefixstable:2002:da8:1::This applies the NetLabel for the addresses received with RA, like NetLabel= in [Address] section applies it to statically configured addresses. See NetLabel= in [Address] section for more details. + + + + + NFTSet= + + This applies the NFT set for the network configuration received with RA, like + NFTSet= in [Address] section applies it to static configuration. See + NFTSet= in [Address] section for more details. For address or + prefix source types, the type of the element used in the NFT filter must be + ipv6_addr. + + diff --cc src/network/networkd-network-gperf.gperf index 022bd597583,14734dadd5d..6309baa0569 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@@ -367,8 -368,8 +371,9 @@@ DHCPPrefixDelegation.ManageTemporaryAdd DHCPPrefixDelegation.Token, config_parse_address_generation_type, 0, offsetof(Network, dhcp_pd_tokens) DHCPPrefixDelegation.RouteMetric, config_parse_uint32, 0, offsetof(Network, dhcp_pd_route_metric) DHCPPrefixDelegation.NetLabel, config_parse_string, CONFIG_PARSE_STRING_SAFE, offsetof(Network, dhcp_pd_netlabel) + DHCPPrefixDelegation.NFTSet, config_parse_nft_set, 0, offsetof(Network, dhcp_pd_nft_set_context) IPv6SendRA.RouterLifetimeSec, config_parse_router_lifetime, 0, offsetof(Network, router_lifetime_usec) +IPv6SendRA.RetransmitSec, config_parse_router_retransmit, 0, offsetof(Network, router_retransmit_usec) IPv6SendRA.Managed, config_parse_bool, 0, offsetof(Network, router_managed) IPv6SendRA.OtherInformation, config_parse_bool, 0, offsetof(Network, router_other_information) IPv6SendRA.RouterPreference, config_parse_router_preference, 0, 0