how to add a nft netdev-filter with firewall-cmd?

Support for security such as Firewalls and securing linux
Post Reply
AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

how to add a nft netdev-filter with firewall-cmd?

Post by AlBundy » 2022/01/24 11:02:59

Because my AVM Fritz.Box send broadcasts to detected powerline adapters which cause a lot of dropped packets (rx) (see https://pablo.tools/blog/computers/dropped-packets/) I want to add this rule to firewall-cmd or at least to system-startup.

Code: Select all

table netdev filter {
    chain ingress {
        type filter hook ingress device eno1 priority 0; policy accept;
        meta protocol {0x8912, 0x88e1} drop
    }
}
the manual commands are

Code: Select all

nft 'add table netdev filter'
nft 'add chain netdev filter ingress { type filter hook ingress device eno1 priority 0; policy accept; }'
nft 'add rule netdev filter ingress meta protocol {0x8912, 0x88e1} drop'
is there a way to add this with firewall-cmd (firewalld.conf sets FirewallBackend=nftables).
If this is not possible: what would be the best way to ensure that this rule is always added?

AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

Re: how to add a nft netdev-filter with firewall-cmd?

Post by AlBundy » 2022/01/24 14:30:22

current workaround
create file /etc/nftables/fritzbox.nft with this content

Code: Select all

#!/usr/sbin/nft -f

# see https://pablo.tools/blog/computers/dropped-packets/
# if you still get packets with eth.type == 0x8899 disable loop prevention in your switch (e.g. TL-SG105E)

table netdev filter {
    chain ingress {
        type filter hook ingress device eno1 priority 0; policy accept;
    }
}
# flush chain to avoid duplicated rules if service is started multiple times
flush chain netdev filter ingress
add rule netdev filter ingress meta protocol {0x8912, 0x88e1} drop
and a systemd-service /etc/systemd/system/drop_fritzbox_homeplug_packets.service with this content

Code: Select all

[Unit]
Description=drop packets with protocol 0x8912, 0x88e1 from avm fritzbox
Requires=multi-user.target
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/sbin/nft -f /etc/nftables/fritzbox.nft
Restart=no

[Install]
WantedBy=multi-user.target
Depending on how fast the system starts up and when the first packets arrive i have zero to few dropped packets.

If someone has a better solution for this problem feel free to add an answer. :-)

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: how to add a nft netdev-filter with firewall-cmd?

Post by jlehtone » 2022/01/24 18:54:26

Would you be ready to disable&mask firewalld.service, enable nftables.service and feed the entire ruleset to it?

AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

Re: how to add a nft netdev-filter with firewall-cmd?

Post by AlBundy » 2022/01/24 20:32:34

I'd like to stay with firewalld and firewall-cmd.
firewalld uses nftables so I thought that there must be a way to add the above rule to the configuration.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: how to add a nft netdev-filter with firewall-cmd?

Post by jlehtone » 2022/01/25 08:55:00

Understandable. I wonder whether anything from nftables unit could be useful, particularly the "Before=network-pre.target"?

Code: Select all

# cat /usr/lib/systemd/system/nftables.service
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

Re: how to add a nft netdev-filter with firewall-cmd?

Post by AlBundy » 2022/01/25 15:13:37

As i first checked the file I didn't know nft -f - I tought this start some kind of daemon.
Later I found out that nft -f only add the rules from the given file.

flush ruleset is not a good idea because I have a lot of roles from firewalld.

So the "only" differences to my unit seems to be the dependencies.

I'd like to have the rules added together with the firewalld-rules to have zero dropped packets but if nobody has an idea how to achieve this I can also live with ~10 dropped packets in the statistics. :-)

Post Reply