Vladimir Khailenko <vkhailenko@xxxxxxxxx> wrote:
[ CC netfilter-devel ]
> We can create a set with "ipv4_addr . inet_proto . inet_service":
> set allow_dns_ntp {
> type ipv4_addr . inet_proto . inet_service
> elements = { 1.2.3.4 . tcp . domain,
> 1.2.3.4 . udp . domain,
> 5.6.7.8 . udp . ntp }
> }
>
> But how the we can use them?
> "iifname $nic_wan ip daddr . protocol . dport @allow_dns_ntp ct state new counter accept" - Does not work
> "iifname $nic_wan ip daddr . ip protocol . tcp dport @allow_dns_ntp ct state new counter accept" - this works, but does not have any sense…
Yes, that doesn't work. This could work, with a small patch:
add rule inet filter input iifname lo ip daddr . ip protocol . @th,16,16 @allow_dns_ntp ct state new counter accept
diff --git a/src/payload.c b/src/payload.c
--- a/src/payload.c
+++ b/src/payload.c
@@ -175,6 +175,11 @@ void payload_init_raw(struct expr *expr, enum proto_bases base,
expr->payload.offset = offset;
expr->len = len;
expr->dtype = &integer_type;
+
+ if (len == 16 && base == PROTO_BASE_TRANSPORT_HDR) {
+ if (offset == 0 || offset == 16)
+ expr->dtype = &inet_service_type;
+ }
}
