Re: nftables: How to filter only ipv6 SSH traffic in an inet table?

Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> · Sun, 18 Feb 2018 19:52:52 +1100

On Sun, Feb 18, 2018 at 03:00:51PM +1100, Duncan Roe wrote:
> Hi Merlin,
>
> On Thu, Feb 08, 2018 at 04:14:15AM +0100, Merlin Büge wrote:
> > On Wed, 7 Feb 2018 20:26:32 +0100
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
...
>
> > #!/usr/sbin/nft -f
> > flush ruleset
> >
> > # (existing table omitted)
> >
> > table inet filter \
> > {
> >   chain input \
> >   {
> >      type filter hook input priority 100; policy drop;
> >
> >      # Only for wlan0
> >      iif ne "wlan0" accept
> >
> >      ip6 nexthdr tcp tcp dport ssh counter drop;
> >      meta nfproto ipv6 tcp dport ssh counter accept
> >      counter log prefix "nft6: " level debug
> >    }
> > }
> > list ruleset
>
> *list ruleset* above produced the following:
>
> > table inet filter {
> >	 chain input {
> >		 type filter hook input priority 100; policy drop;
> >		 iif != "wlan0" accept
> >		 meta nfproto ipv6 ip6 nexthdr tcp tcp dport ssh counter packets 0 bytes 0 accept
> >		 meta nfproto ipv6 meta l4proto tcp tcp dport ssh counter packets 0 bytes 0 accept
> >		 counter packets 0 bytes 0 log prefix "nft6: " level debug
> >	 }
> > }
>
> while stand-alone *nft list ruleset* shows:
>
> > table inet filter {
> >	 chain input {
> >		 type filter hook input priority 100; policy drop;
> >		 iif != "wlan0" accept
> >		 tcp dport ssh counter packets 0 bytes 0 accept
> >		 tcp dport ssh counter packets 0 bytes 0 accept
> >		 counter packets 0 bytes 0 log prefix "nft6: " level debug
> >	 }
> > }
>
I just re-tried this with the latest git snapshot (latest change 2018-02-15),
and the output from stand-alone *nft list ruleset* has changed to:

> table inet filter {
>         chain input {
>                 type filter hook input priority 100; policy drop;
>                 iif != "wlan0" accept
>                 ip6 nexthdr tcp tcp dport ssh counter packets 0 bytes 0 accept
>                 meta nfproto ipv6 tcp dport ssh counter packets 0 bytes 0 accept
>                 meta l4proto ipv6-icmp counter packets 1 bytes 72 accept
>                 counter packets 1 bytes 84 log prefix "nft6: " level debug
>         }
> }

i.e. exactly as per the original script (whitespace and counter values excepted)

Cheers ... Duncan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html