Re: Cant get "tcp dport 22 @ih,0,32 0x5353482d" to work/match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pascal Ernster <netfilter@xxxxxxxxxxxxxx> wrote:
> Hi,
> 
> 
> I'm trying to write an nftables rule set that should eventually allow
> multiplexing SSH and TLS on TLS port 443. The idea is to match the "SSH-"
> string in the TCP payload of the SSH client's first packet of the
> connection/handshake to port 443, and then redirect/forward that TCP
> connection to port 22, where the actual SSH server is running.

You cannot redirect once the first packet has been processed.

> However, I seem unable to get "@ih" expressions to work/match at all - even
> when I write two "@ih" expressions that should match the exact complement of
> each other, none of them match anything. Here's the full output of "nft list
> ruleset" after one SSH connection to port 22:
> 
> > # nft list ruleset
> > table inet filter {
> > 	chain input {
> > 		type filter hook input priority filter; policy drop;
> > 		ct state invalid drop comment "early drop of invalid connections"
> > 		ct state { established, related } accept comment "allow tracked connections"

Rule above accepts the packet with SSH string in the payload.

> > 		tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"

... and this matches the initial SYN packet.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux