I had the allow-dhcp rule included by filterref in previous tries. I
tried to get an overview for testing into one file.
From what I understood in the documentation, the root chain takes every
rule and includes the chains like IPv4 to it.
So bringing it into root is as not as efficient, because the IPv4 chain
only concerns IPv4 packages, while the root chain takes every packet.
Did I get this right?
Without the drop rule, I can track the flow in Wireshark:
0.0.0.0 -> 255.255.255.255 UDP 68->67 Discover
10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 Offer
0.0.0.0 -> 255.255.255.255 UDP 68->67 Request
10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 ACK
Couldn't see anything that shouldn't be captured by the 'allow-dhcp'
rule.
Am 30.08.24 um 12:20 schrieb Daniel P. Berrangé:
On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:
> Hello,
>
> I'm trying to set up a nwfilter ruleset, where the client only should be
> able to answer to incoming requests and pings. The outbound traffic (LAN and
> Internet) shouldn't be working.
>
> I've gut the rules as mentioned below (I moved all filterref inside for
> debugging):
> <filter name='fwrule-test0' chain='root'
priority='-700'>
> <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid>
> <rule action='accept' direction='out'
priority='100'>
> <ip protocol='udp' srcportstart='68'
dstportstart='67'/>
> </rule>
> <rule action='accept' direction='in'
priority='101'>
> <ip protocol='udp' srcportstart='67'
dstportstart='68'/>
> </rule>
snip
> </filter>
> My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter
> 'allow-dhcp'.
> Am I missing here something?
You've got a subtle difference - the 'allow-dhcp' filter is adding
rules to the 'ipv4' chain, while you're adding rules to the 'root'
chain, which might make a difference.
Rather than duplicating rules for port 67/68, you could just reference it:
<filterref filter='allow-dhcp'/>
With regards,
Daniel