On Thu, Aug 14, 2014 at 11:29:57AM +0200, tomekx1000 wrote:
> Dear All,
>
> Could you have a look at my simple nft firewall script below, I've
> used ct related, established, but it doesnt work with passive mode
> FTP - the data session on high ports is dropped by firewall. Does
> NFTables have connection tracking helper for FTP?
Yes, no changes in that regard.
> If not - is it planned in foreseable future to add it?
>
> table ip filter {
> chain input {
> type filter hook input priority 0;
> dport {21} ct state new limit rate 2/second counter accept
The brackets have special meaning. If you uses brackets to wrap
elements, the kernel will create a set for it with one single element.
Better use the brackets when you have multiple elements. In this case,
I suggest you to use:
tcp dport 21 ...
> ct state {established, related} counter accept
^ ^
No need to use the brackets here:
ct state established,related ...
The ct state allows enumeration of several states using commas. This
is due to the fact that ct state internally represents the states as a
bitmask.
You can check that use the describe command:
# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask,
integer), 32 bits
pre-defined symbolic constants:
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040
Basically, all bitmask types can use the comma-separated enumeration
notation to combine the supported flags.
You can use describe to inquire for other selectors in case of doubt.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
