Hello!
I am currently fighting with the following problem: I've got a system
that has 3 relevant interfaces: ppp0, en0 and en2, for external,
internal and dmz respectively.
The dmz is IPv6 only, a homelab testbed more or less.
I've got the follwing rules in /etc/nftables.conf for ipv6 (i am
abreviating the chain input, because i am only fighting with
forwarding):
table ip6 filter {
chain input {
...
}
chain forward {
type filter hook forward priority 0; policy drop;
iifname ppp0 oifname en0 ct state established,related accept
iifname en0 oifname ppp0 accept
iifname en2 oifname ppp0 accept
iifname ppp0 oifname en2 accept
iifname en0 oifname en2 accept
iifname en2 oifname en0 ct state established,related accept
meta l4proto ipv6-icmp accept
}
}
This "almost" works: I can do everything I want from my internal
network (connected to en0) towards the outside, and tcp connections
from and to the dmz also work. Ping works everywhere.
What does not work, and this puzzles me, is that UDP does not work.
E.g. if I lookup a DNS name in my dmz (connected to en2), I see no
udp packets if i start tcpdump on the external interface ppp0. I see
them entering on en2.
Why does UDP bevave differently from TCP here? Is this an nftables or
ipv6 specific gotcha?
If I insert the following rule at the bottom, everything starts to
work:
meta l4proto udp accept
but I don't know how to limit this over broad rule (so it does not
forward UDP to the internal network on en0, which I do not want).
trying e.g.
iifname en2 oifname ppp0 meta l4proto udp accept
iifname ppp0 oifname en0 meta l4proto udp accept
did not work either, ad behaved like my initial setup described on top.
Any hints for me?
TIA
Ralph
