It seems linux already has a module for nftables nf_xfrm, which contains some code about reqid, however there is no description about it in man page.
So, how to translate the following command to nftables?
iptables -D FORWARD -s 10.0.0.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
nftables version, 0.9.0, was released on 2018-06-08, more than a year ago, and this feature is not available in this version. Only testing having been decapsulated is available.
UPDATE: nftables 0.9.1 has been released on 2019-06-24, so one can hope it will be packaged in one's favorite distribution soon.
Kernel support for additional handling of ipsec in nftables was added in version 4.201. On userland side, corresponding support for additional ipsec features was added in git master branches around 2018-09-21 for libnftnl 2,3 and nftables 4,5,6.
The last patch is what provides reqid:
(Well there isn't an example for a request id, nor matching the underlying protocol which might not be implemented, see later)
So to be able to use this feature, currently at least this is needed:
If OP's iptables rule was an append rather than a delete (which currently can only be done in nftables by using the handle keyword) it should translate into this (including boilerplate):
I didn't add
meta ipsec exists
beforeipsec in reqid 1
: testing the reqid should require and thus test having already been subject to ipsec decapsulation.What doesn't appear to be made available and not mentioned in the documentation is the equivalent of
--proto esp
, so I couldn't put it.If matching the esp protocol is really needed, one can imagine that using a mark on the outer envelope packet should do it, knowing that the mark is preserved after decapsulation:
Disclaimer: take with a grain of salt, only the syntax was tested (using nftables from git commit 01e5c6f0ed0315046537612f5a80e506d37a7f8e). This wasn't actually verified on IPSec. There's probably also a rule to add for 4500/UDP for UDP encapsulated ESP.
1 netfilter: nf_tables: add xfrm expression
2 expr: rt: ipsec match support
3 expr: add xfrm support
4 src: rt: add support to check if route will perform ipsec transformation
5 src: rename meta secpath to meta ipsec
6 src: add ipsec (xfrm) expression