41: Chuck out the stateless vmap example from the "simple version" firewall

Stefan Monnier via Mon, 23 May 2022 06:28:14 -0700

branch: externals/nftables-mode
commit 3e71d87a8c072d7700d9496ea6fbdbdeebb0abd5
Author: Trent W. Buck <[email protected]>
Commit: Trent W. Buck <[email protected]>


    Chuck out the stateless vmap example from the "simple version" firewall
---
 nftables-host.nft | 80 ++-----------------------------------------------------
 1 file changed, 2 insertions(+), 78 deletions(-)

diff --git a/nftables-host.nft b/nftables-host.nft
index 842ee961b4..166f7cd52c 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -109,9 +109,8 @@ table inet my_filter {
         iiftype loopback  accept
 
         # Allow *some* kinds of IPv4/ICMP and IPv6/ICMPv6.
-        # FIXME: are "ip protocol icmp" and "ip6 nexthdr icmpv6" needed?
-        ip protocol icmp  icmp type vmap @ICMP_policy
-        ip6 nexthdr icmpv6  icmpv6 type vmap @ICMPv6_RFC4890_policy
+        icmp type echo-request  accept
+        icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, 
nd-neighbor-advert }  accept
 
         # YOUR RULES HERE.
         # NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
@@ -148,81 +147,6 @@ table inet my_filter {
     #    policy accept
     #}
 
-
-    # Allow all ICMPv6 is wrong (insecure);
-    # Deny all ICMPv6 is wrong (breaks IPv6).
-    # The following vmap merges RFC 4890 4.4 (for hosts) and 4.4 (for routers).
-    # Fortunately, the only verdict conflicts occur in
-    # "Traffic That Will Be Dropped Anyway" sections, so we can share this vmap
-    # between hook input (host) and hook forward (router).
-    #
-    # I *think* "dropped anyway" also means we also don't need these:
-    #   ip6 hoplimit 1          # for LLMNR
-    #   ip6 hoplimit 255        # for RA/RS/NA/NS
-    #   ip6 saddr fe80::/10     # for LLMNR and MLD
-    #
-    # NOTE: I was going to use named types, but "nft describe icmpv6 type" 
doesn't have them all.
-    #       Also, using bare numbers makes it possible to use intervals 
intuitively.
-    #
-    # FIXME: add "auto-merge" when possible
-    #        (nft 0.9.1 has set auto-merge, but not map auto-merge).
-    map ICMPv6_RFC4890_policy {
-        type icmpv6_type : verdict
-        flags interval
-        elements = {
-              1 -   4: accept,  # RFC 4890 4.3.1 & 4.4.1 essential errors
-            128 - 129: accept,  # RFC 4890 4.3.1 & 4.4.1 Echo (ping)
-            144 - 147: accept,  # RFC 4890 4.3.2 & 4.4.3 Mobile IPv6
-            133 - 136: accept,  # RFC 4890 4.3.3 & 4.4.1 (replaces ARP and 
DHCPv4)
-            141 - 142: accept,  # RFC 4890 4.3.3 & 4.4.1 (replaces ARP and 
DHCPv4)
-            130 - 132: accept,  # RFC 4890 4.3.3 & 4.4.1 LLMNR
-                  143: accept,  # RFC 4890 4.3.3 & 4.4.1 LLMNR
-            148 - 149: accept,  # RFC 4890 4.3.3 & 4.4.1 SEND
-            151 - 153: accept,  # RFC 4890 4.3.3 & 4.4.1 Multicast Router
-                  137: drop,    # RFC 4890 4.3.3 & 4.4.4 Redirect
-                  150: drop,    # RFC 4890 4.3.4 & 4.4.3 Seamoby
-              5 -  99: drop,    # RFC 4890 4.3.4 & 4.4.4 unallocated error 
messages
-            102 - 126: drop,    # RFC 4890 4.3.4 & 4.4.4 unallocated error 
messages
-            154 - 199: drop,    # RFC 4890 4.3.4 & 4.4.? unallocated 
informational messages
-            202 - 254: drop,    # RFC 4890 4.3.4 & 4.4.? unallocated 
informational messages
-                  138: drop,    # RFC 4890 4.3.5 & 4.4.3 route renumbering
-            100 - 101: drop,    # RFC 4890 4.3.5 & 4.4.5 experimental 
allocations
-            200 - 201: drop,    # RFC 4890 4.3.5 & 4.4.5 experimental 
allocations
-                  127: drop,    # RFC 4890 4.3.5 & 4.4.5 extension type numbers
-            139 - 140: drop,    # RFC 4890 4.3.5 & 4.4.4 Node Information
-                  255: drop,    # RFC 4890 4.3.5 & 4.4.5 extension type numbers
-        }
-    }
-
-    # NOTE: I couldn't find an RFC for ICMPv4 firewall, so
-    #       I am adopting the following heuristic:
-    #
-    #        1. if there is an ICMPv6 equivalent, follow RFC4890.
-    #        2. if deprecated or experimental or reserved or unallocated, drop.
-    #        3. NOT rate-limiting ping for now, because ICBF.
-    #        4. NOT filtering by type.code (only type) for now, because ICBF.
-    map ICMP_policy {
-        type icmp_type : verdict
-        flags interval
-        elements = {
-            destination-unreachable: accept,   # RFC 4890 4.3.1 essential 
errors
-                      time-exceeded: accept,   # RFC 4890 4.3.1 essential 
errors
-                  parameter-problem: accept,   # RFC 4890 4.3.1 essential 
errors
-                       echo-request: accept,   # RFC 4890 4.3.1 echo (ping)
-                         echo-reply: accept,   # RFC 4890 4.3.1 echo (ping)
-               router-advertisement: accept,   # RFC 4890 4.3.3 & 4.4.1 (IRDP 
- alternative to DHCPv4??)
-                router-solicitation: accept,   # RFC 4890 4.3.3 & 4.4.1 (IRDP 
- alternative to DHCPv4??)
-                           redirect: drop,     # RFC 4890 4.3.3 & 4.4.4 
Redirect
-                      source-quench: drop,     # deprecated
-                            1 -   2: drop,     # unassigned
-                            6 -   7: drop,     # deprecated / unassigned
-                           15 -  39: drop,     # deprecated / unassigned / 
reserved / experimental
-                           41 - 255: drop,     # deprecated / unassigned / 
reserved / experimental
-                           13 -  14: continue, # FIXME Timestamp / Timestamp 
Reply???
-                                 40: continue, # FIXME Photuris???
-        }
-    }
-
 }
 
 # This is here to aid debugging.

[elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall

Reply via email to