All of lore.kernel.org
 help / color / mirror / Atom feed
* usings sets as input to sets
@ 2020-07-28  9:27 harald
  2020-07-29 12:17 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: harald @ 2020-07-28  9:27 UTC (permalink / raw)
  To: netfilter

Hello,

I have the following nftables script:

define guarded_ports = {ssh}

table inet portknock {
        set port2 {
                type inet_service
                flags timeout
                timeout 60m
        }

        set port3 {
                type inet_service
                flags timeout
                timeout 60s
        }

        set clients {
                type ipv4_addr
                flags timeout
        }

        set candidates {
                type ipv4_addr . inet_service
                flags timeout
        }

        chain input {
                type filter hook input priority -10; policy accept;

                iifname "lo" return

                tcp dport 12345 add @candidates {ip saddr . @port2 timeout 10s}
                tcp dport @port2 ip saddr . tcp dport @candidates add @candidates {ip saddr . @port3 timeout 10s}
                tcp dport @port3 ip saddr . tcp dport @candidates add @clients {ip saddr timeout 10s}

                tcp dport $guarded_ports ip  saddr @clients accept
                tcp dport $guarded_ports ct state established,related accept

                tcp dport $guarded_ports reject with tcp reset

        }
}

When trying to apply it it throws the following error with nftables v0.9.6 (Capital Idea #2):

/tmp/rules:31:48-52: Error: syntax error, unexpected string, expecting ll or nh or th
                tcp dport 12345 add @candidates {ip saddr . @port2 timeout 10s}
                                                             ^^^^^
/tmp/rules:32:82-86: Error: syntax error, unexpected string, expecting ll or nh or th
                tcp dport @port2 ip saddr . tcp dport @candidates add @candidates {ip saddr . @port3 timeout 10s}
                                                                                               ^^^^^

So my question is is this even supposed to work or not? If not then maybe somebody could tell me why and if it is supposed to work why doesn't it?

Kind regards
Harald Jenny

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: usings sets as input to sets
  2020-07-28  9:27 usings sets as input to sets harald
@ 2020-07-29 12:17 ` Florian Westphal
  2020-07-29 14:26   ` harald
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2020-07-29 12:17 UTC (permalink / raw)
  To: harald; +Cc: netfilter

harald@a-little-linux-box.at <harald@a-little-linux-box.at> wrote:
[..]
> table inet portknock {
>         set port2 {
>                 type inet_service
[..]

>         set candidates {
>                 type ipv4_addr . inet_service
>                 flags timeout
>         }

[..]
>                 tcp dport 12345 add @candidates {ip saddr . @port2 timeout 10s}

What is that supposed to do?

@candidate expects ip address + port.

> So my question is is this even supposed to work or not? If not then maybe somebody could tell me why and if it is supposed to work why doesn't it?

Its not possible to add a set to a set, if thats what you are asking.

I suspect you already found
https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example ?

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: usings sets as input to sets
  2020-07-29 12:17 ` Florian Westphal
@ 2020-07-29 14:26   ` harald
  0 siblings, 0 replies; 3+ messages in thread
From: harald @ 2020-07-29 14:26 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

> [..]
>> table inet portknock {
>>         set port2 {
>>                 type inet_service
> [..]
> 
>>         set candidates {
>>                 type ipv4_addr . inet_service
>>                 flags timeout
>>         }
> 
> [..]
>>                 tcp dport 12345 add @candidates {ip saddr . @port2 timeout 10s}
> 
> What is that supposed to do?

It's supposed to add the ip saddr and the dynamically added port from set port2 to set candidates.

> 
> @candidate expects ip address + port.

Well port2 is defined as inet_service so that would match wouldn't it?

> 
>> So my question is is this even supposed to work or not? If not then maybe somebody could tell me why and if it is supposed to work why doesn't it?
> 
> Its not possible to add a set to a set, if thats what you are asking.

So you can only add a number or a port description to an inet_service set but not a set which contains an inet_service, I understand.

> 
> I suspect you already found
> https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example ?

Yes my version is a modifified example of the first one.

> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-29 14:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28  9:27 usings sets as input to sets harald
2020-07-29 12:17 ` Florian Westphal
2020-07-29 14:26   ` harald

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.