Re: nftables 0.9.3, sets with concatentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2020/03/20 11:51, Stefan Hartmann wrote:


For the sake of a well-arranged ruleset,
it would be nice to have a concatenated set like
     set s4_MISC-SERVICES {
         type inet_proto . inet_service
         elements = { udp . 69, tcp . 23 ]

and then use this set like
     ip daddr $IP4_IF2 . dport @s4_MISC-SERVICES accept

But I got a syntax error "unexpected dport".
With eg ip daddr $IP4_IF2 . udp dport @s4_MISC-SERVICES accept it is working, but this is here useless for simplyfying.
What is the right syntax or is the mixing of udp and tcp in this manner impossible? Is there a better approach to get the abstraction from a group of services into a mixed tcp udp ruleset? 

Hi Stefan,
Interesting problem. A simple approach would be to use 2 rules, one for udp services and one for tcp services. 

But I get that you'd prefer to handle both in a single rule.
The man page suggests a solution: use the raw payload expression:
https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression

I'm unsure of exactly the match you're after, because in your example
set s4_MISC-SERVICES type is inet_proto . inet_service
but then you try to match against ipv4_addr . inet_service

If you in fact want ipv4_addr . inet_proto . inet_service
it looks like this should work:

set s4_MISC-SERVICES {
          type ipv4_addr . inet_proto . inet_service
          elements = { $IP4_IF2 . udp . 69, $IP4_IF2 . tcp . 23 ]

meta l4proto {tcp, udp} \
	ip daddr . meta l4proto . th dport @s4_MISC-SERVICES   accept


Or, you may well want to handle ipv4 addresses in a separate set:

set s4_MISC-SERV2 {
	type inet_proto . inet_service
      	elements = { udp . 69, tcp . 23 ]

set ip_allowed {
	type ipv4_addr
	elements = { $IP4_IF2 }

ip daddr @ ip_allowed   meta l4proto {tcp, udp} \
	meta l4proto . th dport @s4_MISC-SERVICES   accept
The apparently redundant meta l4proto {tcp, udp} in both versions above is because the man page notes you must take care not to use raw match without verifying the actual type of packet.
Disclaimer: I am an nftables newbie, and have not tried the above. But enjoyed taking a stab at it. Let us know if it works. :-) 

Best regards,
Frank
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux