Cant get "tcp dport 22 @ih,0,32 0x5353482d" to work/match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,


I'm trying to write an nftables rule set that should eventually allow multiplexing SSH and TLS on TLS port 443. The idea is to match the "SSH-" string in the TCP payload of the SSH client's first packet of the connection/handshake to port 443, and then redirect/forward that TCP connection to port 22, where the actual SSH server is running.

However, I seem unable to get "@ih" expressions to work/match at all - even when I write two "@ih" expressions that should match the exact complement of each other, none of them match anything. Here's the full output of "nft list ruleset" after one SSH connection to port 22:

# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iif "lo" accept comment "allow from loopback"
		ip protocol icmp accept comment "allow icmp"
		meta l4proto ipv6-icmp accept comment "allow icmp v6"
		udp dport 51820 accept comment "allow wireguard"
		tcp dport 22 @ih,0,32 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 1 ##### " flags all accept comment "allow SSH- via SSH port"
		tcp dport 22 @ih,0,32 != 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 2 ##### " flags all accept comment "allow SSH- via SSH port"
		tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"
		tcp dport 22 accept comment "allow ssh"
		udp dport 443 accept comment "allow http/3"
		tcp dport 443 @ih,0,32 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 4 ##### " flags all accept comment "allow SSH- via HTTPS port"
		tcp dport 443 @ih,0,32 != 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 5 ##### " flags all accept comment "allow SSH- via HTTPS port"
		tcp dport 443 counter packets 45 bytes 3052 log prefix "##### SSH DEBUG 6 ##### " flags all accept comment "allow SSH- via HTTPS port"
		tcp dport 443 counter packets 0 bytes 0 accept comment "allow https"
		tcp dport 80 accept comment "allow http"
		counter packets 0 bytes 0 continue
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 continue
	}
}


Note that the incoming SSH connection on port 22 only incremented the counter for the "SSH DEBUG 3" line, but not the counter for any of the two preceding lines ("SSH DEBUG 1" and "SSH DEBUG 2"). What am I doing wrong?

I'm using Arch Linux x86_64 with testing repos enabled, with the nftables package 1:1.0.9-3 from the Arch repos, and a custom kernel that's basically the equivalent of linux-hardened 6.9.3-rc1.


Regards
Pascal




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux