Hi Team,
I have nftables to only allow specific v6 traffic, but I see that v6
address is not exactly matched.
nftable version:
nftables v1.0.9 (Old Doc Yak #3)
I have created a custom chain filter and added a rule to match it
against the below set
nft add set inet filter_table set1 "{ type inet_proto . ipv6_addr;
flags interval ; counter; }"
nft add element inet filter_table set1 "{ ipv6-icmp . 10:0:3::10}"
nft add rule inet filter_table ip6_filter meta l4proto . ip6 saddr
@set1 jump accept_actions
I am sending traffic from 10:0:1::10 to 10:0:2::10, though my set
source address is 10:0:3::10 but still the rule element is getting hit
(verified via the counter command).
If I remove the "flags interval" from the set it works, but I need to
keep the "flags interval" because sometimes I want to configure a
range as well.
Couple of examples I tried with modifying the source address in my set:
10:0:1ff::10 (rule doesn't hit)
10:0:ff::10 (rule hit)
10:0:1::11 (doesn't hit)
Based on these tests (comparing with original source 10:0:1::10), it
looks like only the first 40 bits and last 80 bits are matched, the
middle 8 is kind of a wildcard.
Another data point is if the set contains a single ipv6_addr (no other
fields) it works fine.
Below is the sample config
nft add set inet filter_table set1 "{ type ipv6_addr; flags interval ;
counter; }"
nft add element inet filter_table set1 "{ 10:0:3::10 }"
nft add rule inet filter_table ip6_filter ip6 saddr @set1 jump accept_actions
Can someone please help here, I think this behaviour is not expected.
Regards,
Sontu
