You are not logged in.

Pages: 1

#1 2024-12-30 07:48:24

Beemo
Member
Registered: 2024-12-20
Posts: 65

[Solved] systemd-networkd as firewall for forwarding traffic?

Is systemd-networkd intended to be used for policy routing only, not firewall?
I noticed it has

[RoutingPolicyRule]
Type=prohibit

which can be used to firewall traffic. However there is no way to say "accept", which makes selectively allowing traffic impossible?

I have 3 interfaces: wg, eth, sit. Only forwarding between wg<->eth or wg<->sit or wg<->wg are allowed. I'm trying to replicate this nft rule:

chain FORWARD {
		type filter hook forward priority filter; policy drop;
		iifname "wireguard-0" accept
		oifname "wireguard-0" accept
	}

I imagine something like this:

[RoutingPolicyRule]
Type=prohibit
Priority=0

[RoutingPolicyRule]
IncomingInterface=wireguard-0
Type=nop
Priority=1

[RoutingPolicyRule]
OutgoingInterface=wireguard-0
Type=nop
Priority=1

[RoutingPolicyRule]
IncomingInterface=lo
Type=nop
Priority=1

[RoutingPolicyRule]
OutgoingInterface=lo
Type=nop
Priority=1

But it has several problems:

  • There is no way to match only forwarding traffic, so I had to add rules about "lo" to accept local traffic.

  • What happens when several rules match?

  • Is overriding the decision in a later rule even possible?

Last edited by Beemo (2024-12-31 08:58:37)

Offline

#2 2024-12-30 07:56:16

Beemo
Member
Registered: 2024-12-20
Posts: 65

Re: [Solved] systemd-networkd as firewall for forwarding traffic?

Hmm perhaps like this instead

[RoutingPolicyRule]
IncomingInterface=wireguard-0
# Type=table
Priority=0

...the lot

[RoutingPolicyRule]
Type=prohibit
Priority=1

EDIT: Tested, indeed it works, though too much clutter compared to nft.

Last edited by Beemo (2024-12-31 08:55:46)

Offline

#3 2024-12-30 12:50:21

-thc
Member
Registered: 2017-03-15
Posts: 1,066

Re: [Solved] systemd-networkd as firewall for forwarding traffic?

Theoretically you can abuse rule based routing in that way - but IMHO you have to write a complete blacklist (specify all non allowed combinations of in and out interfaces) and set the type to "prohibit" - but that's just a guess. I consider NFT the better option.

Offline

#4 2024-12-31 09:07:16

Beemo
Member
Registered: 2024-12-20
Posts: 65

Re: [Solved] systemd-networkd as firewall for forwarding traffic?

Beemo wrote:

  • There is no way to match only forwarding traffic, so I had to add rules about "lo" to accept local traffic.

  • What happens when several rules match?

  • Is overriding the decision in a later rule even possible?

  • The rules for lo seem to be needed, otherwise the server can't be connected...

  • Follows the 1st rule that reaches a verdict, e.g. table, not nop.
    The rules are just translated into ip rule under the hood.

  • No

Offline

Pages: 1

Board footer

Powered by FluxBB