Thanks for your reply on this. I've gone ahead and submitted a bug report for this, which can be found here: https://bugzilla.netfilter.org/show_bug.cgi?id=1249 On Fri, Apr 27, 2018 at 03:14:13PM +0200, nft.ml@xxxxxxxx wrote: > On Fri, 27 Apr 2018, rypervenche wrote: > > Hello Yves, > > > > Thank you for your configuration. I looked over it and see that you are > > indeed using the "timeout 0s" to achieve what I was looking to achieve. > > It seems that when I create a rule to do this, the "timeout 0s" simply > > gets removed. I even copied your entire config and started my nftables > > with it and as you can see below, all of the places where "timeout 0s" > > was present in your config, it no longer exists in the actual running > > Oh, you are right! And I did not notice! I guess a simple solution, although > less satisfying is to replace 0 with 1... I suppose this is the smallest we > can write above 0. IMO, this is a bug from nft. > > Thanks for notifying me! Cheers, > Yves. > > > configuration. I simply cleared nftables of all rules, than ran "nft -f > > /path/to/your/config/file" and then "nft list ruleset -nn" and below is > > the result. > > > > Does yours show this as well? When I tested it, any "set update" would > > simply restart the timeout to 1m. Is your configuration doing this as > > well? > > > > I'm on kernel 4.14.35 and nftables version 0.8.3 in Gentoo. > > > > ================================================= > > table ip Inet4 { > > set Knocked_1 { > > type ipv4_addr > > timeout 10s > > gc-interval 4s > > } > > > > set Knocked_2 { > > type ipv4_addr > > timeout 10s > > gc-interval 4s > > } > > > > set Knocked_3 { > > type ipv4_addr > > timeout 10s > > gc-interval 4s > > } > > > > set Knocked_4 { > > type ipv4_addr > > timeout 2m > > gc-interval 4s > > } > > > > chain Knock_1 { > > set add ip saddr @Knocked_1 > > } > > > > chain Unknock_1 { > > set update ip saddr @Knocked_1 > > } > > > > chain Knock_2 { > > set update ip saddr @Knocked_1 > > set add ip saddr @Knocked_2 > > } > > > > chain Unknock_2 { > > set update ip saddr @Knocked_2 > > } > > > > chain Knock_3 { > > set update ip saddr @Knocked_2 > > set add ip saddr @Knocked_3 > > } > > > > chain Unknock_3 { > > set update ip saddr @Knocked_3 > > } > > > > chain Knock_4 { > > set update ip saddr @Knocked_3 > > set add ip saddr @Knocked_4 log prefix "Port-Knock accepted: " > > } > > > > chain RefreshKnock { > > set update ip saddr timeout 2m @Knocked_4 > > } > > > > chain PortKnock { > > ct state new ip saddr @Knocked_4 goto RefreshKnock > > tcp dport 456 ct state new ip saddr @Knocked_3 goto Knock_4 > > tcp dport 345 ct state new ip saddr @Knocked_3 return > > ip saddr @Knocked_3 ct state new goto Unknock_3 > > tcp dport 345 ct state new ip saddr @Knocked_2 goto Knock_3 > > tcp dport 234 ct state new ip saddr @Knocked_2 return > > ip saddr @Knocked_2 ct state new goto Unknock_2 > > tcp dport 234 ct state new ip saddr @Knocked_1 goto Knock_2 > > tcp dport 123 ct state new ip saddr @Knocked_1 return > > ip saddr @Knocked_1 ct state new goto Unknock_1 > > tcp dport 123 ct state new goto Knock_1 > > } > > > > chain FilterIn { > > type filter hook input priority 0; policy drop; > > ct state { established, related } accept > > ct state invalid drop > > iif "lo" accept > > ip protocol icmp accept > > jump PortKnock > > } > > > > chain FilterOut { > > type filter hook output priority 0; policy accept; > > } > > } > > ================================================= > > > > > > On Fri, Apr 27, 2018 at 08:50:11AM +0200, nft.ml@xxxxxxxx wrote: > > > Hi rypervenche, > > > > > > I have a working port-knocking nft firewall with this setup: > > > http://yalis.fr/public/knock_nftables.conf > > > > > > In this example, the ports to knock are 123 234 345 456.A > > > I hope this helps. Cheers, > > > > > > Yves. > > > > > > On Thu, 26 Apr 2018, rypervenche wrote: > > > > Hello, > > > > > > > > I'm looking to set up something of a port knocker in nftables. While I > > > > can do this with sets with timeouts, I also would like the flexibility > > > > to be able to remove an IP from one of said sets if the next packet that > > > > gets sent from the source address is not the port in the specific order > > > > I have chosen. This way port scanners would not be able to bruteforce all > > > > of the ports within the timeout that I have chosen. > > > > > > > > Would it be possible to request the addition of a "delete" operation to > > > > the following feature? https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path > > > > > > > > If this is not possible, would it be possible to use the "update" > > > > operation to set the timeout to "0s" and this have it immediately delete > > > > the element in question? Currently trying to update the element with the > > > > timeout 0s does not update the timeout, however non-zero timeouts do > > > > work. > > > > > > > > While my syntax is likely not correct here, this is essentially the idea > > > > in mind: > > > > > > > > table inet filter { > > > > set knock1 { type ipv4_addr; timeout 5s; } > > > > set knock2 { type ipv4_addr; timeout 5s; } > > > > set knock3 { type ipv4_addr; timeout 5s; } > > > > chain input { > > > > type filter hook input priority 0; policy drop; > > > > ct state established,related accept > > > > ... cut for space ... > > > > meta nfproto ipv4 counter packets 0 bytes 0 jump knock > > > > meta l4proto tcp counter packets 0 bytes 0 reject with tcp reset > > > > meta nfproto ipv4 counter packets 0 bytes 0 reject with icmp type prot-unreachable > > > > counter packets 0 bytes 0 reject > > > > } > > > > chain knock { > > > > tcp dport 1111 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock1 reject > > > > tcp dport != 2222 ip saddr @knock1 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock1 > > > > tcp dport 2222 ip saddr @knock1 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock2 reject > > > > tcp dport != 3333 ip saddr @knock2 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock2 > > > > tcp dport 3333 ip saddr @knock2 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock3 reject > > > > tcp dport != 4444 ip saddr @knock3 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock3 > > > > tcp dport 4444 ip saddr @knock3 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 accept > > > > } > > > > } > > > > > > > > Any and all help with this would be greatly appreciated. > > > > > > > > Thank you, > > > > > > > > rypervenche > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
