From ArchWiki
Jump to: navigation, search

Future article updates

I'm gonna be messing around with this page quite a bit in the coming weeks. The docs are pretty sparse, so it's gonna take some tinkering.

--sudokode (2014-01-27 17:27:30 UTC)

Bad practice and redundant code

Sitting beside the nftables maintainer, asking for feedback.

This page's sample rulesets could use a good cleanup. I'll do that soon.

TCP flag checks are not necessary, because you can just check for whether the packet is in an invalid state, or just not whitelist:

/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
                                 TCPHDR_URG) + 1] =
        [TCPHDR_SYN]                            = 1,
        [TCPHDR_SYN|TCPHDR_URG]                 = 1,
        [TCPHDR_SYN|TCPHDR_ACK]                 = 1,
        [TCPHDR_RST]                            = 1,
        [TCPHDR_RST|TCPHDR_ACK]                 = 1,
        [TCPHDR_FIN|TCPHDR_ACK]                 = 1,
        [TCPHDR_ACK]                            = 1,
        [TCPHDR_ACK|TCPHDR_URG]                 = 1,

ICMPv6 rate limiting like in the example is just stupid, for it breaks neighbour discovery (IPv6 ARP), ICMP isn't expensive to process, and it's not ICMP in of itself that is the problem. Anyhow, QoS is the job of the traffic control subsystem.

We probably should make not of kernel requirements for rulesets (e.g., 3.18+, so won't work with 3.14 linux-lts).

Maybe we should also provide guidance for getting upstream documentation, and troubleshooting. Attendance to netdev01 confirmed that it is in quite active development, and lots of usability features and fixes are in the pipeline.

Allowing all ICMP is not necessary, and is already handled by conntrack RELATED,ESTABLISHED. -- alp (2015-02-17