search

thelegy / nixos-nftables-firewall

A zone based firewall built ontop of nftables for nixos
https://thelegy.github.io/nixos-nftables-firewall/
MIT License
46 stars 7 forks source link

Add ability to enable flow offloading for given interfaces #7

Open ghostbuster91 opened 1 year ago

ghostbuster91 commented 1 year ago

Hi,

Thanks for this great project. One thing that I am missing is the ability to enable flow offloading for given interface https://wiki.nftables.org/wiki-nftables/index.php/Flowtables.

Example nftables configuration with offloading enabled:

table inet x {

    flowtable f {
        hook ingress priority 0; devices = { lo };
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # offload established connections
        ip protocol { tcp, udp } flow offload @f
        ip6 nexthdr { tcp, udp } flow offload @f
        counter packets 0 bytes 0

        # established/related connections
        ct state established,related counter accept

        # allow initial connection
        ip protocol { tcp, udp } accept
        ip6 nexthdr { tcp, udp } accept
    }
}

Expected behavior

Ideally it should be possible to enable flowtables via nixos-nftables-firewall. Maybe something like:

firewall = {
        enable = true;
        zones = {
          lan.interfaces = [ "lan1" "lan2" ];
          wan.interfaces = [ "wan" ];
        };

        flowtable-interfaces = [ "lan1" "lan2 ];
};

???

thelegy commented 11 months ago

Hi there, sorry for the wait. This project actually has multiple layers to define things. The lower one currently only knows tables, chains and rules. The higher one is built on top of it.

I agree, that flowtables, sets, ect. should be something the lower level understands and can generate. For the chains there is already ways to get raw nft rules inside of chains and inside of high level rules. So while there is no high level support for it, it still can be done.

I do not have so much time at the moment, so I think I will not work on a high level abstraction for flowtables that anytime soon.

As for the low level support: I have the need for sets myself, so when I find the time to work on sets, I might also do flowtables in one go. There I think I will build something similar to chains to enable the definition of flowtables.

But as I said, it is already possible to do what you want, let me show you how to do it. Actually I did something similar a few days ago with sets: https://github.com/thelegy/yaner/blob/2a1cf2927fced381f5e8942c231a4bb5ee78c447/modules/crowdsec.nix#L213-L243 The rough idea would be to add a some string at the beginning of the ruleset to define the flowtable manually. Prepending something to the ruleset feels quite dirty, so that is what I would like to improve on.

And then something similar to the conntrack snippet can be used to put the flowtable nft rules in the chain: https://github.com/thelegy/nixos-nftables-firewall/blob/a33df9d2f586b85e8e7e546d9b99b39f3187c382/modules/snippets/nnf-conntrack.nix#L16-L28 To me that part is actually not too bad, so for my projects I would be fine in doing it that way.

I hope that helps already.