Pascal Ernster <netfilter@xxxxxxxxxxxxxx> wrote:
> Hi,
>
>
> I'm trying to write an nftables rule set that should eventually allow
> multiplexing SSH and TLS on TLS port 443. The idea is to match the "SSH-"
> string in the TCP payload of the SSH client's first packet of the
> connection/handshake to port 443, and then redirect/forward that TCP
> connection to port 22, where the actual SSH server is running.
You cannot redirect once the first packet has been processed.
> However, I seem unable to get "@ih" expressions to work/match at all - even
> when I write two "@ih" expressions that should match the exact complement of
> each other, none of them match anything. Here's the full output of "nft list
> ruleset" after one SSH connection to port 22:
>
> > # nft list ruleset
> > table inet filter {
> > chain input {
> > type filter hook input priority filter; policy drop;
> > ct state invalid drop comment "early drop of invalid connections"
> > ct state { established, related } accept comment "allow tracked connections"
Rule above accepts the packet with SSH string in the payload.
> > tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"
... and this matches the initial SYN packet.
