* Failing to construct a 'set' for TCP Flag filtering.
[not found] <S1728814AbgIBQSI/20200902161835Z+839@vger.kernel.org>
@ 2020-09-02 16:44 ` Chris Hall
2020-09-02 17:51 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Chris Hall @ 2020-09-02 16:44 UTC (permalink / raw)
To: netfilter
I have constructed the file 'tryx' containing:
#---------------------------------------------------
flush ruleset
add table ip MAIN
add set ip MAIN tcp_good_flags { type tcp_flag ; flags constant ; \
elements = { \
( 0 | 0 | 0 |ack| 0 | 0 ), \
( 0 | 0 | 0 |ack| 0 |urg), \
( 0 | 0 | 0 |ack|psh| 0 ), \
( 0 | 0 | 0 |ack|psh|urg), \
( 0 | 0 |rst| 0 | 0 | 0 ), \
( 0 | 0 |rst|ack| 0 | 0 ), \
( 0 | 0 |rst|ack| 0 |urg), \
( 0 | 0 |rst|ack|psh| 0 ), \
( 0 | 0 |rst|ack|psh|urg), \
( 0 |syn| 0 | 0 | 0 | 0 ), \
( 0 |syn| 0 |ack| 0 | 0 ), \
( 0 |syn| 0 |ack| 0 |urg), \
( 0 |syn| 0 |ack|psh| 0 ), \
( 0 |syn| 0 |ack|psh|urg), \
(fin| 0 | 0 |ack| 0 | 0 ), \
(fin| 0 | 0 |ack| 0 |urg), \
(fin| 0 | 0 |ack|psh| 0 ), \
(fin| 0 | 0 |ack|psh|urg) \
} ; }
list ruleset
#---------------------------------------------------
With a view to using this to filter out invalid combinations of TCP flags.
When I give that to nft I get:
# nft -f tryx
table ip MAIN {
set tcp_good_flags {
type tcp_flag
flags constant
elements = { ack, 0x30, 0x18, 0x38, rst,
0x14, 0x34, 0x1c, 0x3c, syn,
0x12, 0x32, 0x1a, 0x3a, 0x11,
0x31, 0x19, 0x39 }
}
}
...which suggests that all is well so far... but it isn't. And if I try
to check the state of the ruleset again:
# nft list ruleset
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)
Indeed, nothing seems to work until I 'flush ruleset' again !
Am I asking for the impossible here ?
Thanks,
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Failing to construct a 'set' for TCP Flag filtering.
2020-09-02 16:44 ` Failing to construct a 'set' for TCP Flag filtering Chris Hall
@ 2020-09-02 17:51 ` Pablo Neira Ayuso
2020-09-03 12:53 ` Chris Hall
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-02 17:51 UTC (permalink / raw)
To: Chris Hall; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1917 bytes --]
On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
>
> I have constructed the file 'tryx' containing:
>
> #---------------------------------------------------
> flush ruleset
> add table ip MAIN
>
> add set ip MAIN tcp_good_flags { type tcp_flag ; flags constant ; \
> elements = { \
> ( 0 | 0 | 0 |ack| 0 | 0 ), \
> ( 0 | 0 | 0 |ack| 0 |urg), \
> ( 0 | 0 | 0 |ack|psh| 0 ), \
> ( 0 | 0 | 0 |ack|psh|urg), \
> ( 0 | 0 |rst| 0 | 0 | 0 ), \
> ( 0 | 0 |rst|ack| 0 | 0 ), \
> ( 0 | 0 |rst|ack| 0 |urg), \
> ( 0 | 0 |rst|ack|psh| 0 ), \
> ( 0 | 0 |rst|ack|psh|urg), \
> ( 0 |syn| 0 | 0 | 0 | 0 ), \
> ( 0 |syn| 0 |ack| 0 | 0 ), \
> ( 0 |syn| 0 |ack| 0 |urg), \
> ( 0 |syn| 0 |ack|psh| 0 ), \
> ( 0 |syn| 0 |ack|psh|urg), \
> (fin| 0 | 0 |ack| 0 | 0 ), \
> (fin| 0 | 0 |ack| 0 |urg), \
> (fin| 0 | 0 |ack|psh| 0 ), \
> (fin| 0 | 0 |ack|psh|urg) \
> } ; }
>
> list ruleset
> #---------------------------------------------------
>
> With a view to using this to filter out invalid combinations of TCP flags.
>
> When I give that to nft I get:
>
> # nft -f tryx
> table ip MAIN {
> set tcp_good_flags {
> type tcp_flag
> flags constant
> elements = { ack, 0x30, 0x18, 0x38, rst,
> 0x14, 0x34, 0x1c, 0x3c, syn,
> 0x12, 0x32, 0x1a, 0x3a, 0x11,
> 0x31, 0x19, 0x39 }
> }
> }
>
> ...which suggests that all is well so far... but it isn't. And if I try to
> check the state of the ruleset again:
>
> # nft list ruleset
> BUG: Unknown expression binop
> nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
> Aborted (core dumped)
>
> Indeed, nothing seems to work until I 'flush ruleset' again !
>
> Am I asking for the impossible here ?
It's a bug, I'll apply this patch to git.
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 621 bytes --]
diff --git a/src/mergesort.c b/src/mergesort.c
index 02094b486aeb..4d5bdbd414db 100644
--- a/src/mergesort.c
+++ b/src/mergesort.c
@@ -44,7 +44,15 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2)
case EXPR_MAPPING:
return expr_msort_cmp(e1->left, e2->left);
case EXPR_BINOP:
- return expr_msort_cmp(e1->left, e2->left);
+ switch (e2->etype) {
+ case EXPR_VALUE:
+ return expr_msort_cmp(e1->left, e2);
+ case EXPR_BINOP:
+ return expr_msort_cmp(e1->left, e2->left);
+ default:
+ break;
+ }
+ /* fall through */
default:
BUG("Unknown expression %s\n", expr_name(e1));
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Failing to construct a 'set' for TCP Flag filtering.
2020-09-02 17:51 ` Pablo Neira Ayuso
@ 2020-09-03 12:53 ` Chris Hall
2020-09-03 14:24 ` Florian Westphal
2020-09-15 15:43 ` 'meta mark' and 'meta mark set' -- any restrictions on their use ? Chris Hall
0 siblings, 2 replies; 6+ messages in thread
From: Chris Hall @ 2020-09-03 12:53 UTC (permalink / raw)
To: netfilter
On 02/09/2020 18:51, Pablo Neira Ayuso wrote:
> On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
>> .... issue with 'add set ip MAIN tcp_good_flags...'
>> Indeed, nothing seems to work until I 'flush ruleset' again !
>>
>> Am I asking for the impossible here ?
> It's a bug, I'll apply this patch to git.
Ah. I'm impressed that it's quickly fixable...
...but my Fedora appears to be 9 months behind on nftables v0.9.3, so I
guess I have a bit of a wait :-(
I tried building nftables, but ./configure says:
Package 'libnftnl' has version '1.1.3', required version is '>= 1.1.7'
I tried building and installing libnftnl, which created
'/usr/local/lib/libnftnl.so.11.3.0'. But that does not seem to satisfy
the ./configure for nftables ?
I guess what I need to do is build (on my development machine) an .rpm
to install on the firewall... but I'm not getting far.
Thanks,
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Failing to construct a 'set' for TCP Flag filtering.
2020-09-03 12:53 ` Chris Hall
@ 2020-09-03 14:24 ` Florian Westphal
2020-09-03 17:44 ` Chris Hall
2020-09-15 15:43 ` 'meta mark' and 'meta mark set' -- any restrictions on their use ? Chris Hall
1 sibling, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2020-09-03 14:24 UTC (permalink / raw)
To: Chris Hall; +Cc: netfilter
Chris Hall <nftables@gmch.uk> wrote:
> On 02/09/2020 18:51, Pablo Neira Ayuso wrote:
> > On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
> >> .... issue with 'add set ip MAIN tcp_good_flags...'
> > > Indeed, nothing seems to work until I 'flush ruleset' again !
> > >
> > > Am I asking for the impossible here ?
>
> > It's a bug, I'll apply this patch to git.
>
> Ah. I'm impressed that it's quickly fixable...
>
> ...but my Fedora appears to be 9 months behind on nftables v0.9.3, so I
> guess I have a bit of a wait :-(
>
> I tried building nftables, but ./configure says:
>
> Package 'libnftnl' has version '1.1.3', required version is '>= 1.1.7'
>
> I tried building and installing libnftnl, which created
> '/usr/local/lib/libnftnl.so.11.3.0'. But that does not seem to satisfy the
> ./configure for nftables ?
It does, but its finding the wrong/old installation, or not searching in
/usr/local.
Try
./configure PKG_CONFIG_PATH=/path/to/where/the/1.1.7.pc-file-is
when building nftables.
find -name '*.pc' /usr/local
might tell you the right directory.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Failing to construct a 'set' for TCP Flag filtering.
2020-09-03 14:24 ` Florian Westphal
@ 2020-09-03 17:44 ` Chris Hall
0 siblings, 0 replies; 6+ messages in thread
From: Chris Hall @ 2020-09-03 17:44 UTC (permalink / raw)
To: netfilter
On 03/09/2020 15:24, Florian Westphal wrote:
...
> Try
>
> ./configure PKG_CONFIG_PATH=/path/to/where/the/1.1.7.pc-file-is
Thank you. I have now succeeded in building nft and libnftnl.so.11.3.0,
and copying same to the firewall machine. (Yay!)
Having applied the suggested patch, I now find that with the (same) file
'tryx' as before I now get:
# nft -f tryx
table ip MAIN {
set tcp_good_flags {
type tcp_flag
flags constant
}
}
...which appears to be a step backwards :-( BUT when I now check the
ruleset I get:
# nft list ruleset
table ip MAIN {
set tcp_good_flags {
type tcp_flag
flags constant
elements = { fin | psh | ack | urg, fin | psh | ack,
fin | ack | urg, fin | ack, syn | psh | ack | urg,
syn | psh | ack, syn | ack | urg, syn |
ack, syn, rst | psh | ack | urg,
rst | psh | ack, rst | ack | urg, rst |
ack, rst, psh | ack | urg,
psh | ack, ack | urg, ack }
}
}
So it's not crashing any more -- hurrah !
BTW: if I have a 'list ruleset' in an .nft script, what should I expect
it to show me ? I ask because if I do (as above):
# nft -f xxxx.nft -- where the last line is 'list ruleset'
# nft list ruleset
the second command seems to show a more complete ruleset ?
FWIW:
add rule ip MAIN FORWARD tcp flags & (fin|syn|rst|ack|psh|urg) \
@tcp_good_flags goto FwdTCP
is accepted (and I hope will do what I want !).
Thanks,
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* 'meta mark' and 'meta mark set' -- any restrictions on their use ?
2020-09-03 12:53 ` Chris Hall
2020-09-03 14:24 ` Florian Westphal
@ 2020-09-15 15:43 ` Chris Hall
1 sibling, 0 replies; 6+ messages in thread
From: Chris Hall @ 2020-09-15 15:43 UTC (permalink / raw)
To: netfilter
Can anyone point me in the direction of some documentation that tells me
how my ruleset may use the 'meta mark' ?
I assume that nothing in the kernel and nothing in nftables itself
depends on the value of the 'mark' ? So I may make whatever use I like
of it in my ruleset ?
I gather that the initial value of the mark may be set by the ConnTrack
stuff, if the connection is not new and 'ct mark set <value>' has been
used. Is that true ?
I guess the default value for the mark is 0. Is that true ?
I gather that I may
add rule ... meta mark set xx
in order to set the mark, and later I can:
add rule meta mark yy ...
to do something if the mark is equal to yy.
Or:
add rule (meta mark yy & 0x11) != 0 ...
to do something if yy contains either of the bits in 0x11.
I assume I have understood correctly ?
Experiment also suggests that I may:
add rule ... meta mark set (meta mark | 0x100)
to modify the mark. I assume that is meant to work ? (I note that the
second 'meta' appears to be redundant.)
There is clearly a quite sophisticated <expression> syntax layered on
top of what the man-page calls a "Primary Expression" (and the terms
<expr> in 'define <variable> = <expr>' and <value> in 'meta mark set
<value>' and elsewhere). Can anyone point me in the direction of the
documentation for all this ?
Thanks,
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-09-15 15:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <S1728814AbgIBQSI/20200902161835Z+839@vger.kernel.org>
2020-09-02 16:44 ` Failing to construct a 'set' for TCP Flag filtering Chris Hall
2020-09-02 17:51 ` Pablo Neira Ayuso
2020-09-03 12:53 ` Chris Hall
2020-09-03 14:24 ` Florian Westphal
2020-09-03 17:44 ` Chris Hall
2020-09-15 15:43 ` 'meta mark' and 'meta mark set' -- any restrictions on their use ? Chris Hall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.