On Wed, 7 Dec 2022 12:29:00 +0100 Florian Westphal <fw@xxxxxxxxx> wrote:
> Aaron Fischer <mail@xxxxxxxxxxxxxxxxx> wrote:
> > Is there a way to somehow access the origin sport (8448 in my
> > case), so I can filter for it in the FORWARD chain?
>
> Yes, the original addresses are stored in conntrack: 'ct original
> proto-src 8448'
Thank you for this valuable hint! I've tested it with this bare minimum
config:
alpine-test:/etc# cat nft-ct.nft
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter
policy accept
}
chain FORWARD {
type filter hook forward priority filter
policy drop
ct original proto-src 8448 accept
}
}
But the config seems invalid:
alpine-test:/etc# nft -c -f /etc/nft-ct.nft
/etc/nft-ct.nft:14:31-34: Error: Can't parse symbolic invalid
expressions ct original proto-src 8448 accept
^^^^
Not sure why. Various examples and the man page also show it that way
you mentioned. The sourcecode gives me not much more insight how the
syntax should be. Why is 8448 an "invalid" type?
I use the latest version of the nft tool (v1.0.5).
Aaron
Attachment:
pgpyEllvVvzDk.pgp
Description: OpenPGP digital signature
