diff options
| author | Lukas Wunner <lukas@wunner.de> | 2020-03-11 13:20:06 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-10-28 02:01:25 +0200 |
| commit | 510c4fad7e78f9350f492463d68899a6154807d3 (patch) | |
| tree | 42057f190379a7a2c2501977957f1cb6bb501e90 /doc | |
| parent | 1e30a3a49a5eaf2a1e0e4b2d8f4949db9db565e7 (diff) | |
src: Support netdev egress hook
Add userspace support for the netdev egress hook which is queued up for
v5.16-rc1, complete with documentation and tests. Usage is identical to
the ingress hook.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/nft.txt | 34 | ||||
| -rw-r--r-- | doc/statements.txt | 6 |
2 files changed, 30 insertions, 10 deletions
diff --git a/doc/nft.txt b/doc/nft.txt index c9bb901b..e4ed9824 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -193,7 +193,7 @@ packet processing paths, which invoke nftables if rules for these hooks exist. *inet*:: Internet (IPv4/IPv6) address family. *arp*:: ARP address family, handling IPv4 ARP packets. *bridge*:: Bridge address family, handling packets which traverse a bridge device. -*netdev*:: Netdev address family, handling packets from ingress. +*netdev*:: Netdev address family, handling packets on ingress and egress. All nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. If an identifier is specified without an @@ -251,9 +251,9 @@ The list of supported hooks is identical to IPv4/IPv6/Inet address families abov NETDEV ADDRESS FAMILY ~~~~~~~~~~~~~~~~~~~~ -The Netdev address family handles packets from the device ingress path. This -family allows you to filter packets of any ethertype such as ARP, VLAN 802.1q, -VLAN 802.1ad (Q-in-Q) as well as IPv4 and IPv6 packets. +The Netdev address family handles packets from the device ingress and egress +path. This family allows you to filter packets of any ethertype such as ARP, +VLAN 802.1q, VLAN 802.1ad (Q-in-Q) as well as IPv4 and IPv6 packets. .Netdev address family hooks [options="header"] @@ -263,8 +263,27 @@ VLAN 802.1ad (Q-in-Q) as well as IPv4 and IPv6 packets. All packets entering the system are processed by this hook. It is invoked after the network taps (ie. *tcpdump*), right after *tc* ingress and before layer 3 protocol handlers, it can be used for early filtering and policing. +|egress | +All packets leaving the system are processed by this hook. It is invoked after +layer 3 protocol handlers and before *tc* egress. It can be used for late +filtering and policing. |================= +Tunneled packets (such as *vxlan*) are processed by netdev family hooks both +in decapsulated and encapsulated (tunneled) form. So a packet can be filtered +on the overlay network as well as on the underlying network. + +Note that the order of netfilter and *tc* is mirrored on ingress versus egress. +This ensures symmetry for NAT and other packet mangling. + +Ingress packets which are redirected out some other interface are only +processed by netfilter on egress if they have passed through netfilter ingress +processing before. Thus, ingress packets which are redirected by *tc* are not +subjected to netfilter. But they are if they are redirected by *netfilter* on +ingress. Conceptually, tc and netfilter can be thought of as layers, with +netfilter layered above tc: If the packet hasn't been passed up from the +tc layer to the netfilter layer, it's not subjected to netfilter on egress. + RULESET ------- [verse] @@ -388,9 +407,10 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting *forward* hook or *route* type only supporting *output* hook), there are three further quirks worth noticing: -* The netdev family supports merely a single combination, namely *filter* type and - *ingress* hook. Base chains in this family also require the *device* parameter - to be present since they exist per incoming interface only. +* The netdev family supports merely two combinations, namely *filter* type with + *ingress* hook and *filter* type with *egress* hook. Base chains in this + family also require the *device* parameter to be present since they exist per + interface only. * The arp family supports only the *input* and *output* hooks, both in chains of type *filter*. * The inet family also supports the *ingress* hook (since Linux kernel 5.10), diff --git a/doc/statements.txt b/doc/statements.txt index d402da70..8675892a 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -658,7 +658,7 @@ string ip filter forward dup to 10.2.3.4 device "eth0" # copy raw frame to another interface -netdetv ingress dup to "eth0" +netdev ingress dup to "eth0" dup to "eth0" # combine with map dst addr to gateways @@ -668,8 +668,8 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } FWD STATEMENT ~~~~~~~~~~~~~ The fwd statement is used to redirect a raw packet to another interface. It is -only available in the netdev family ingress hook. It is similar to the dup -statement except that no copy is made. +only available in the netdev family ingress and egress hooks. It is similar to +the dup statement except that no copy is made. *fwd to* 'device' |