Re: nftables: How to filter only ipv6 SSH traffic in an inet table?

Merlin Büge <toni@xxxxxxxxxxxx> · Thu, 8 Feb 2018 04:14:15 +0100

On Wed, 7 Feb 2018 20:26:32 +0100
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:

> > Could you possibly post all of the output from nft list ruleset?

Of course, I attached a textfile showing all the commands and output,
and commenting what I don't understand / does not seem to work.

I also uploaded the textfile: http://termbin.com/8zql

Let me know if you need anything else.

> We need to keep ip6 nexthdr around, since this is implicitly
> restricting to match only IPv6 in the inet chain, where we can see
> IPv4 and IPv6 traffic.
> 
> Looking into this.

So, are you saying that nftables is not behaving as intended, or am I
doing something wrong? I'm new to networking and nftables, so I'm not
sure my commands in the attached textfile are actually correct...

Thanks!

-- 
Merlin Büge <toni@xxxxxxxxxxxx>
[root@host test]# nft flush ruleset
[root@host test]# nft add table inet filter
[root@host test]# nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
[root@host test]# # filtering all IPv6 SSH traffic doesn't work:
[root@host test]# nft add rule inet filter input ip6 nexthdr tcp tcp dport ssh accept
[root@host test]# nft add rule inet filter input meta nfproto ipv6 tcp dport ssh accept
[root@host test]# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		tcp dport ssh accept
		tcp dport ssh accept
	}
}
[root@host test]# # filtering all IPv6 traffic or all IPv6 TCP traffic seems to work:
[root@host test]# nft add rule inet filter input meta nfproto ipv6 accept
[root@host test]# nft add rule inet filter input ip6 nexthdr tcp accept
[root@host test]# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		tcp dport ssh accept
		tcp dport ssh accept
		meta nfproto ipv6 accept
		ip6 nexthdr tcp accept
	}
}
[root@host test]# # but this also does not work:
[root@host test]# nft add rule inet filter input meta nfproto ipv6 meta l4proto tcp accept
[root@host test]# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		tcp dport ssh accept
		tcp dport ssh accept
		meta nfproto ipv6 accept
		ip6 nexthdr tcp accept
		meta l4proto tcp accept
	}
}
[root@host test]# 