Bonjour,
Je rencontre un problème pour utiliser les expressions "ipsec"
avec nftables.
IPSEC EXPRESSIONS
ipsec {in | out} [ spnum NUM ] {reqid | spi}
ipsec {in | out} [ spnum NUM ] {ip | ip6} {saddr | daddr}
An ipsec _expression_ refers to ipsec data
associated with a packet.
The in or out keyword needs to be
used to specify if the _expression_ should examine inbound or
outbound policies. The in keyword can be used in the
prerouting, input and forward hooks. The out keyword
applies to forward, output and postrouting hooks. The optional
keyword spnum can be used to match a specific state in a
chain, it defaults to 0.
Table 34. Ipsec _expression_ types
| Keyword |
Description |
Type |
| reqid |
Request ID |
integer (32 bit) |
| spi |
Security Parameter Index |
integer (32 bit) |
| saddr |
Source address of the
tunnel |
ipv4_addr/ipv6_addr |
| daddr |
Destination address of
the tunnel |
ipv4_addr/ipv6_addr |
https://manpages.debian.org/buster-backports/nftables/nft.8.en.html
J'utilise le noyau : linux-image-5.2.0-0.bpo.3-amd64
(5.2.17-1~bpo10+1) avec nftables (0.9.2-1~bpo10+1), qui utilise
libnftnl11 (1.1.4-1~bpo10+1).
A en croire ce post :
https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables,
toutes les conditions ont l'air réunies.
Pourtant, nft revoit l'erreur : "Error: Could not process rule:
No such file or directory", comme si la fonction n'était pas
implémentée.
Est-ce que quelqu'un aurait une idée ?
Cordialement.