On Tue, 16 Apr 2024 19:12:50 -0000 "William N." <netfilter@xxxxxxxxxx> wrote: > Thank you, Kerin! > > Could you please also tell me: > > What is the way to actually test this rule? I.e. how do I send > "improper" packets to see it do its work? > > I have been successfully testing my other rules using nmap from another > host and watching the 'journal -kf' and 'nft monitor trace' but this > one is difficult for me. > Firstly, I wrote the rule in such a way as to ease the testing process. tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter, ip6 . 0-1219 counter } Secondly, I wrote a crude script to generate a SYN packet while being able to set the MSS option to an abitrarily value. #!/usr/bin/perl use Net::RawIP; @ARGV == 3 or exit 1; my ($saddr, $daddr, $mss) = @ARGV; my $pkt = Net::RawIP->new; $pkt->set({ 'ip' => { 'saddr' => $saddr, 'daddr' => $daddr }, 'tcp' => { 'source' => 1234, 'dest' => 1234, 'syn' => 1 } }); $pkt->optset('tcp' => { 'type' => [ 2 ], 'data' => [ pack('n', $mss) ] }); $pkt->send(0, 1); Note that this requires the Net::RawIP module, which should be offered by your distribution as an installable package. Thirdly, I ran the script, specifying a value that was not expected to match the rule. # ./test-mss 127.0.0.1 127.0.0.1 536 By listing the ruleset, I could see that the counter had not increased. Fourthly, I ran the script again, specifying a value that was expected to match the rule. # ./test-mss 127.0.0.1 127.0.0.1 535 By listing the ruleset, I could see that the counter had increased. tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter packets 1 bytes 44, ip6 . 0-1219 counter packets 0 bytes 0 } There are probably some utilities that can do this. Certainly, there are other libraries; I hear that Scapy is a particularly good one. -- Kerin Millar