Pascal Ernster <netfilter@xxxxxxxxxxxxxx> wrote: > Hi, > > > I'm trying to write an nftables rule set that should eventually allow > multiplexing SSH and TLS on TLS port 443. The idea is to match the "SSH-" > string in the TCP payload of the SSH client's first packet of the > connection/handshake to port 443, and then redirect/forward that TCP > connection to port 22, where the actual SSH server is running. You cannot redirect once the first packet has been processed. > However, I seem unable to get "@ih" expressions to work/match at all - even > when I write two "@ih" expressions that should match the exact complement of > each other, none of them match anything. Here's the full output of "nft list > ruleset" after one SSH connection to port 22: > > > # nft list ruleset > > table inet filter { > > chain input { > > type filter hook input priority filter; policy drop; > > ct state invalid drop comment "early drop of invalid connections" > > ct state { established, related } accept comment "allow tracked connections" Rule above accepts the packet with SSH string in the payload. > > tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port" ... and this matches the initial SYN packet.