* Filter based on string (or other content)
@ 2020-09-12 13:41 K. de Jong
2020-09-13 0:45 ` Duncan Roe
[not found] ` <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
0 siblings, 2 replies; 5+ messages in thread
From: K. de Jong @ 2020-09-12 13:41 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]
I switched to nftables, but I miss one key feature. That is the ability
to filter packets based on a string. The goal is to filter all traffic
going to facebook.com or m.facebook.com for a set of days and time
ranges. The time ranges and days features are present in nftables, I've
spotted them. So I'll not focus on that. nftables-translate gave
errors.
This is what I had in my iptables script:
---
# Some variables, there are used in the rules below
facebook_filters=("www.facebook.com" "fbcdn.net" "m.facebook.com")
week_fb_timestart="03:00:00"
week_fb_timestop="20:00:00"
weekend_fb_timestart="03:00:00"
weekend_fb_timestop="17:00:00"
# Create table called facebook, which includes day and time
specifications
iptables -A facebook -p tcp -m multiport --dports 80,443 -m conntrack
--ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook
during the week" -m time --timestart "$week_fb_timestart" --timestop
"$week_fb_timestop" --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT --reject-
with icmp-port-unreachable
# A rule that applies the string filter, created by a loop through the
facebook_filters array
for filter in "${facebook_filters[@]}"; do
iptables -A FORWARD -i tun+ -s "$vpn_ipv4_sub" -m string --string
"$filter" --algo bm -j facebook
done
---
I can't seem to find an equal feature in nftables that can perform the
same like I do here in iptables. A filter based on IPs is not reliable,
so adding the IPs of facebook.com might work for a while, until those
IPs change.
Does anyone know a solution to do this with nftables?
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Filter based on string (or other content)
2020-09-12 13:41 Filter based on string (or other content) K. de Jong
@ 2020-09-13 0:45 ` Duncan Roe
2020-09-13 8:49 ` G.W. Haywood
[not found] ` <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
1 sibling, 1 reply; 5+ messages in thread
From: Duncan Roe @ 2020-09-13 0:45 UTC (permalink / raw)
To: netfilter
On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
> I switched to nftables, but I miss one key feature. That is the ability
> to filter packets based on a string. The goal is to filter all traffic
> going to facebook.com or m.facebook.com for a set of days and time
> ranges. The time ranges and days features are present in nftables, I've
> spotted them. So I'll not focus on that. nftables-translate gave
> errors.
>
>
> This is what I had in my iptables script:
>
>
> ---
>
> # Some variables, there are used in the rules below
> facebook_filters=("www.facebook.com" "fbcdn.net" "m.facebook.com")
> week_fb_timestart="03:00:00"
> week_fb_timestop="20:00:00"
> weekend_fb_timestart="03:00:00"
> weekend_fb_timestop="17:00:00"
>
>
> # Create table called facebook, which includes day and time
> specifications
> iptables -A facebook -p tcp -m multiport --dports 80,443 -m conntrack
> --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook
> during the week" -m time --timestart "$week_fb_timestart" --timestop
> "$week_fb_timestop" --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT --reject-
> with icmp-port-unreachable
>
>
> # A rule that applies the string filter, created by a loop through the
> facebook_filters array
> for filter in "${facebook_filters[@]}"; do
> iptables -A FORWARD -i tun+ -s "$vpn_ipv4_sub" -m string --string
> "$filter" --algo bm -j facebook
> done
>
>
> ---
>
> I can't seem to find an equal feature in nftables that can perform the
> same like I do here in iptables. A filter based on IPs is not reliable,
> so adding the IPs of facebook.com might work for a while, until those
> IPs change.
>
> Does anyone know a solution to do this with nftables?
I think I have done something like what you're after using 'queue' target and
writing a netfilter-queue program. See https://github.com/duncan-roe/nfq
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Filter based on string (or other content)
2020-09-13 0:45 ` Duncan Roe
@ 2020-09-13 8:49 ` G.W. Haywood
2020-09-14 4:17 ` Duncan Roe
0 siblings, 1 reply; 5+ messages in thread
From: G.W. Haywood @ 2020-09-13 8:49 UTC (permalink / raw)
To: netfilter
Hi there,
On Sun, 13 Sep 2020, Duncan Roe wrote:
> On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
>> I switched to nftables, but I miss one key feature. That is the ability
>> to filter packets based on a string. ...
>> Does anyone know a solution to do this with nftables?
>
> I think I have done something like what you're after using 'queue' target and
> writing a netfilter-queue program. See https://github.com/duncan-roe/nfq
Looks like good work.
Shouldn't the TLDs be taken from the special use domains?
https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
--
73,
Ged.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Filter based on string (or other content)
2020-09-13 8:49 ` G.W. Haywood
@ 2020-09-14 4:17 ` Duncan Roe
0 siblings, 0 replies; 5+ messages in thread
From: Duncan Roe @ 2020-09-14 4:17 UTC (permalink / raw)
To: netfilter
Hi Ged,
On Sun, Sep 13, 2020 at 09:49:44AM +0100, G.W. Haywood wrote:
> Hi there,
>
> On Sun, 13 Sep 2020, Duncan Roe wrote:
>
> > On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
> > > I switched to nftables, but I miss one key feature. That is the ability
> > > to filter packets based on a string. ...
> > > Does anyone know a solution to do this with nftables?
> >
> > I think I have done something like what you're after using 'queue' target and
> > writing a netfilter-queue program. See https://github.com/duncan-roe/nfq
>
> Looks like good work.
>
> Shouldn't the TLDs be taken from the special use domains?
>
> https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
>
> --
>
> 73,
> Ged.
Thank you for that URL! I didn't know about those reserved names before.
Seems to work really well: 'dig' Query time for sys8.admin.invalid was 1msec
while sys8.admin.inval was 200.
Normally queries for these names shouldn't happen and shouldn't make it to the
Internet if they do, but it would be neat to use them anyway so I'll put it on
my todo list.
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>]
* Re: Filter based on string (or other content)
[not found] ` <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
@ 2020-09-13 10:59 ` K. de Jong
0 siblings, 0 replies; 5+ messages in thread
From: K. de Jong @ 2020-09-13 10:59 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]
On Sat, 2020-09-12 at 17:45 +0200, david@hajes.org wrote:
> sounds like Layer-7 filtering.
>
> There is something similar what you seek
> <
> https://serverfault.com/questions/998962/nftables-support-string-matching-support>
>
That indeed looks like what I'm trying to do. I fiddled around with it,
but it's very different than the iptables method of simply provide a
filter for a string and iptables will parse headers for it and block
anything that matches.
I tried it with nftables, by putting this in there for the output chain
on my laptop:
chain output {
ct state invalid drop
meta l4proto tcp @th,160,128 0x0970726f787970697065036e657400 counter
drop comment "block queries for proxypipe.net"
type filter hook output priority 0; policy accept;
oifname "lo" accept
ip6 daddr $ipv4_rfc3964 log prefix "6TO4_REJECT: " counter reject
with icmpv6 type addr-unreachable comment "Reject 6to4 (RFC3964)"
}
But it doesn't block anything in Chrome when I visit proxypipe.net. And
I'm just guessing at this point because these nftable options are way
more complex than iptables. The example from server fault is about
blocking DNS UDP requests to that website. But what I want to do is
block web requests. Which worked fine for Facebook with iptables. And
was easy to setup.
Could someone guide me towards the right direction? Simply blocking DNS
requests won't cut it, since I want to deny the website on specific
days and time ranges. If facebook.com is still in the DNS cache, it
will load the website. I have my own (unbound) recursive resolver, so
blocking Facebook entirely is no issue in terms of a DNS block. But the
thing is, I sometimes would like to allow Facebook on a firewall level.
That way I can enforce it for my phone via VPN as well. There are apps
for this as well. And Android has something builtin to limit website
visit time with Digital Wellbeing. But I prefer to have this central
solution.
Any suggestions or more specific examples for this use case?
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-09-14 4:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-12 13:41 Filter based on string (or other content) K. de Jong
2020-09-13 0:45 ` Duncan Roe
2020-09-13 8:49 ` G.W. Haywood
2020-09-14 4:17 ` Duncan Roe
[not found] ` <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
2020-09-13 10:59 ` K. de Jong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.