On 2020/03/22 10:11, Reindl Harald wrote:
Am 22.03.20 um 14:40 schrieb Darius:
Hi,
I can't find the way to make one rule matching packets with the same dport either on tcp or udp. So far I have rules like this:
ip protocol tcp tcp dport 2000 counter accept
ip protocol udp udp dport 2000 counter accept
I would like to have one rule instead. I couldn't find the way to do it with intervals or maps because dport statement must go together with tcp or udp.
not sure for nftables but with iptables "ipset" is the solution
--------------------
Name: DNS_PORT
Type: bitmap:port
Header: range 53-53
Size in memory: 80
Number of entries: 1
Members:
53
--------------------
9 1333K 102M IN_DNS all -- * * 0.0.0.0/0
0.0.0.0/0 match-set DNS_PORT dst
nftables has its own concept of sets:
https://wiki.nftables.org/wiki-nftables/index.php/Sets
I don't know of a way to use ipset with nftables. I think you would have
to use iptables in parallel, taking care with ordering nftables &
iptables hooks so that your combined ruleset does what you intend.
Trickier than I'd like to setup & maintain...
I was interested to learn of this use of ipset... I'd glossed over the
bitmap:port section of the ipset man page:
http://ipset.netfilter.org/ipset.man.html#lbAV
Now I'm wondering whether ipset bitmap:port match (using iptables)
requires additional precaution of first matching only (udp, tcp)
protocols, as is the case with nftables raw match? Or does this ipset
match do this check implicitly?
Cheers,
Frank
