On Tue, Oct 06, 2020 at 08:54:00AM +0000, ѽ҉ᶬḳ℠ wrote:
> On 06/10/2020 10:31, Pablo Neira Ayuso wrote:
> > On Mon, Oct 05, 2020 at 12:56:00PM +0000, ѽ҉ᶬḳ℠ wrote:
> > > I am trying to get a granular logging rule going, combining tcp and udp
> > > sports for ip6 saddr but somehow failing:
> > >
> > >
> > > tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6 log
> > > flags all prefix "G_C :" continue
> > >
> > > -> Error: conflicting protocols specified: tcp vs. udp
> > I suggest you express things is less convoluted ways, ie. positive
> > logic and default action to drop in your ruleset.
> >
> > nft add rule ip6 x y meta l4proto . th dport { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } ip6 saddr @y accept
> >
> > You can set default policy in the chain to drop.
>
> Thank you for the input. The rule is just for logging/debugging, not for
> dropping frames and the logic is not to log:
>
> * frames from tcp sport(s) 80, 443, 993, 5228
> * frames from udp sport 19302
>
> but log all other frames from ip6 saddr @foo
>
> For that purpose inverting positive (consulted) logic seemed the way to go
> and this should to work then:
>
> meta l4proto . th sport != { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp
> . 19302 } ip6 saddr @foo flags all prefix "bar :" continue;
almost...
add rule ip6 x y meta l4proto . th sport != { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } \
ip6 saddr @foo log flags all prefix "bar :" continue
Missing log before flags.
