* rate limit SIP INVITES
@ 2020-09-26 19:10 sean darcy
2020-09-26 20:26 ` sean darcy
2020-09-27 13:54 ` Pablo Neira Ayuso
0 siblings, 2 replies; 10+ messages in thread
From: sean darcy @ 2020-09-26 19:10 UTC (permalink / raw)
To: netfilter
nftables-0.9.6
I'm running a VOIP server. There are lots of script kiddies who will
bang away with 10/sec SIP INVITES or REGISTERS .
In iptables you can match on the string:
-A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
"INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP
INVITEs" -j SIPINVITE
-A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
"REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP
REGISTERs" -j SIPREGISTER
I'm looking at RAW to do the same:
meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter
where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex
I have a prerouting chain:
table ip filter-asterisk {
chain output-asterisk {
..................
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
}
but no joy when I try to add the rule:
nft add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
@th,184,224 0x494e56495445 counter
Error: Could not process rule: Value too large for defined data type
add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
@th,184,224 0x494e56495445 counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Any help appreciated.
sean
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-26 19:10 rate limit SIP INVITES sean darcy
@ 2020-09-26 20:26 ` sean darcy
2020-09-26 20:34 ` sean darcy
2020-09-26 20:45 ` sean darcy
2020-09-27 13:54 ` Pablo Neira Ayuso
1 sibling, 2 replies; 10+ messages in thread
From: sean darcy @ 2020-09-26 20:26 UTC (permalink / raw)
To: netfilter
On 9/26/20 3:10 PM, sean darcy wrote:
> nftables-0.9.6
>
> I'm running a VOIP server. There are lots of script kiddies who will
> bang away with 10/sec SIP INVITES or REGISTERS .
>
> In iptables you can match on the string:
>
> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
> "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP
> INVITEs" -j SIPINVITE
>
> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
> "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP
> REGISTERs" -j SIPREGISTER
>
> I'm looking at RAW to do the same:
>
> meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter
>
> where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex
>
> I have a prerouting chain:
>
> table ip filter-asterisk {
> chain output-asterisk {
> ..................
> }
>
> chain prerouting {
> type filter hook prerouting priority raw; policy accept;
> }
> }
>
> but no joy when I try to add the rule:
>
> nft add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
> @th,184,224 0x494e56495445 counter
> Error: Could not process rule: Value too large for defined data type
> add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
> @th,184,224 0x494e56495445 counter
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> Any help appreciated.
>
> sean
>
>
Closer reading of the man page:
# nft add rule filter-asterisk prerouting meta l4proto udp udp dport
5060 @th,184,96 0x494e56495445 counter
#
The 3rd parameter of the raw expression is bit length (16 * the six
characters in INVITE , correct?).
Now let's see if it works.
sean
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-26 20:26 ` sean darcy
@ 2020-09-26 20:34 ` sean darcy
2020-09-26 20:45 ` sean darcy
1 sibling, 0 replies; 10+ messages in thread
From: sean darcy @ 2020-09-26 20:34 UTC (permalink / raw)
To: netfilter
On 9/26/20 4:26 PM, sean darcy wrote:
> On 9/26/20 3:10 PM, sean darcy wrote:
>> nftables-0.9.6
>>
>> I'm running a VOIP server. There are lots of script kiddies who will
>> bang away with 10/sec SIP INVITES or REGISTERS .
>>
>> In iptables you can match on the string:
>>
>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
>> "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP
>> INVITEs" -j SIPINVITE
>>
>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
>> "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP
>> REGISTERs" -j SIPREGISTER
>>
>> I'm looking at RAW to do the same:
>>
>> meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter
>>
>> where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex
>>
>> I have a prerouting chain:
>>
>> table ip filter-asterisk {
>> chain output-asterisk {
>> ..................
>> }
>>
>> chain prerouting {
>> type filter hook prerouting priority raw; policy accept;
>> }
>> }
>>
>> but no joy when I try to add the rule:
>>
>> nft add rule filter-asterisk prerouting meta l4proto udp udp dport
>> 5060 @th,184,224 0x494e56495445 counter
>> Error: Could not process rule: Value too large for defined data type
>> add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
>> @th,184,224 0x494e56495445 counter
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> Any help appreciated.
>>
>> sean
>>
>>
>
> Closer reading of the man page:
>
> # nft add rule filter-asterisk prerouting meta l4proto udp udp dport
> 5060 @th,184,96 0x494e56495445 counter
> #
>
> The 3rd parameter of the raw expression is bit length (16 * the six
> characters in INVITE , correct?).
>
> Now let's see if it works.
>
> sean
>
>
Or better 192, 32 * the 6 characters in INVITE. It seems there are 2
hex numbers for each ascii character.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-26 20:26 ` sean darcy
2020-09-26 20:34 ` sean darcy
@ 2020-09-26 20:45 ` sean darcy
1 sibling, 0 replies; 10+ messages in thread
From: sean darcy @ 2020-09-26 20:45 UTC (permalink / raw)
To: netfilter
On 9/26/20 4:26 PM, sean darcy wrote:
> On 9/26/20 3:10 PM, sean darcy wrote:
>> nftables-0.9.6
>>
>> I'm running a VOIP server. There are lots of script kiddies who will
>> bang away with 10/sec SIP INVITES or REGISTERS .
>>
>> In iptables you can match on the string:
>>
>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
>> "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP
>> INVITEs" -j SIPINVITE
>>
>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
>> "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP
>> REGISTERs" -j SIPREGISTER
>>
>> I'm looking at RAW to do the same:
>>
>> meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter
>>
>> where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex
>>
>> I have a prerouting chain:
>>
>> table ip filter-asterisk {
>> chain output-asterisk {
>> ..................
>> }
>>
>> chain prerouting {
>> type filter hook prerouting priority raw; policy accept;
>> }
>> }
>>
>> but no joy when I try to add the rule:
>>
>> nft add rule filter-asterisk prerouting meta l4proto udp udp dport
>> 5060 @th,184,224 0x494e56495445 counter
>> Error: Could not process rule: Value too large for defined data type
>> add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
>> @th,184,224 0x494e56495445 counter
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> Any help appreciated.
>>
>> sean
>>
>>
>
> Closer reading of the man page:
>
> # nft add rule filter-asterisk prerouting meta l4proto udp udp dport
> 5060 @th,184,96 0x494e56495445 counter
> #
>
> The 3rd parameter of the raw expression is bit length (16 * the six
> characters in INVITE , correct?).
>
> Now let's see if it works.
>
> sean
>
>
I'm quitting for the day. 4 bits = 1 hex number. 6 ascii characters is
12 hex numbers
, or 48 bits.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-26 19:10 rate limit SIP INVITES sean darcy
2020-09-26 20:26 ` sean darcy
@ 2020-09-27 13:54 ` Pablo Neira Ayuso
2020-09-27 14:03 ` Pablo Neira Ayuso
1 sibling, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-27 13:54 UTC (permalink / raw)
To: sean darcy; +Cc: netfilter
On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
> nftables-0.9.6
>
> I'm running a VOIP server. There are lots of script kiddies who will bang
> away with 10/sec SIP INVITES or REGISTERS .
>
> In iptables you can match on the string:
>
> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
> --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
> SIPINVITE
>
> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
> --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
> SIPREGISTER
>
> I'm looking at RAW to do the same:
nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
@th => transport header
64 => from bit number 64 (8 bytes after the UDP header)
48 => extract 48 bits (6 bytes for INVITE)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-27 13:54 ` Pablo Neira Ayuso
@ 2020-09-27 14:03 ` Pablo Neira Ayuso
2020-09-27 15:42 ` sean darcy
0 siblings, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-27 14:03 UTC (permalink / raw)
To: sean darcy; +Cc: netfilter
On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
> > nftables-0.9.6
> >
> > I'm running a VOIP server. There are lots of script kiddies who will bang
> > away with 10/sec SIP INVITES or REGISTERS .
> >
> > In iptables you can match on the string:
> >
> > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
> > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
> > SIPINVITE
> >
> > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
> > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
> > SIPREGISTER
> >
> > I'm looking at RAW to do the same:
>
> nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
>
> @th => transport header
> 64 => from bit number 64 (8 bytes after the UDP header)
> 48 => extract 48 bits (6 bytes for INVITE)
@th,offset,length
where offset and length are expressed in bits.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-27 14:03 ` Pablo Neira Ayuso
@ 2020-09-27 15:42 ` sean darcy
2020-09-27 19:12 ` Florian Westphal
2020-09-27 20:59 ` Pablo Neira Ayuso
0 siblings, 2 replies; 10+ messages in thread
From: sean darcy @ 2020-09-27 15:42 UTC (permalink / raw)
To: netfilter
On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote:
> On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote:
>> On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
>>> nftables-0.9.6
>>>
>>> I'm running a VOIP server. There are lots of script kiddies who will bang
>>> away with 10/sec SIP INVITES or REGISTERS .
>>>
>>> In iptables you can match on the string:
>>>
>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
>>> --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
>>> SIPINVITE
>>>
>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
>>> --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
>>> SIPREGISTER
>>>
>>> I'm looking at RAW to do the same:
>>
>> nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
>>
>> @th => transport header
>> 64 => from bit number 64 (8 bytes after the UDP header)
>> 48 => extract 48 bits (6 bytes for INVITE)
>
> @th,offset,length
>
> where offset and length are expressed in bits.
>
Thanks for the response.
I corrected it , but it didn't work:
nft list chain filter raw
table ip filter {
chain raw {
type filter hook prerouting priority raw; policy accept;
udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0
udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0
}
}
I've gotten over 100 INVITEs or REGISTERs .
Also nft changes the hex to decimal. Here's the input:
# INVITE ascii = 0x494e56495445 hex , 48 (6 * 8 ) bits long
# REGISTER ascii = 52 45 47 49 53 54 45 52 , 64 ( 8 * 8 ) bits long
chain raw {
type filter hook prerouting priority raw; policy accept;
udp dport 5060 @th,184,48 0x494e56495445 counter
packets 0 bytes 0
udp dport 5060 @th,184,64 0x5245474953544552 counter
}
I'd suggest nft should leave it in hex.
Here's the tcpdump output
0x0000: 001f 1249 0acc 5254 00e7 8e30 0800 45a0 ...I..RT...0..E.
0x0010: 03e1 0000 4000 4011 01dd 511d d3c4 d461 ....@.@...Q....a
0x0020: 3b4c 13c4 13c4 03cd 386e 494e 5649 5445 ;L......8nINVITE
INVITE starts at bit 337 (128 * 2 ) + ( 5 * 16 ) +1, but this is zero
based, so use 336, correct?
As I read your response, it's not the offset from the beginning, but
after the UDP header,
so 336 - 120 , or 216. (BTW, I always thought the UDP header was 160 bits.)
udp dport 5060 @th,216,48 0x494e56495445 counter
Sorry for being so long-winded. I appreciate your help in sorting this out.
sean
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-27 15:42 ` sean darcy
@ 2020-09-27 19:12 ` Florian Westphal
2020-09-27 20:59 ` Pablo Neira Ayuso
1 sibling, 0 replies; 10+ messages in thread
From: Florian Westphal @ 2020-09-27 19:12 UTC (permalink / raw)
To: sean darcy; +Cc: netfilter
sean darcy <seandarcy2@gmail.com> wrote:
> On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote:
> > On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
> > > > nftables-0.9.6
> > > >
> > > > I'm running a VOIP server. There are lots of script kiddies who will bang
> > > > away with 10/sec SIP INVITES or REGISTERS .
> > > >
> > > > In iptables you can match on the string:
> > > >
> > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
> > > > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
> > > > SIPINVITE
> > > >
> > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
> > > > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
> > > > SIPREGISTER
> > > >
> > > > I'm looking at RAW to do the same:
> > >
> > > nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
> > >
> > > @th => transport header
> > > 64 => from bit number 64 (8 bytes after the UDP header)
> > > 48 => extract 48 bits (6 bytes for INVITE)
> >
> > @th,offset,length
> >
> > where offset and length are expressed in bits.
> >
> Thanks for the response.
>
> I corrected it , but it didn't work:
>
> nft list chain filter raw
> table ip filter {
> chain raw {
> type filter hook prerouting priority raw; policy accept;
> udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0
^^^^
64,48
[..]
> Here's the tcpdump output
>
> 0x0000: 001f 1249 0acc 5254 00e7 8e30 0800 45a0 ...I..RT...0..E.
> 0x0010: 03e1 0000 4000 4011 01dd 511d d3c4 d461 ....@.@...Q....a
> 0x0020: 3b4c 13c4 13c4 03cd 386e 494e 5649 5445 ;L......8nINVITE
>
> INVITE starts at bit 337 (128 * 2 ) + ( 5 * 16 ) +1, but this is zero based,
> so use 336, correct?
No. You are asking for @th, so address is relative to the transport (UDP) header,
which is 8 bytes. So INIVITE starts at bit 64, just like Pablo said.
> As I read your response, it's not the offset from the beginning, but after
> the UDP header,
> so 336 - 120 , or 216. (BTW, I always thought the UDP header was 160 bits.)
No: @ll - start at link layer
@nh - start at ip/ipv6 header
@th - start at tcp/udp/whatever transport header protocol is used
The offset is relative to that, not the 'start of packet'.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-27 15:42 ` sean darcy
2020-09-27 19:12 ` Florian Westphal
@ 2020-09-27 20:59 ` Pablo Neira Ayuso
2020-09-28 18:09 ` sean darcy
1 sibling, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-27 20:59 UTC (permalink / raw)
To: sean darcy; +Cc: netfilter
On Sun, Sep 27, 2020 at 11:42:08AM -0400, sean darcy wrote:
> On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote:
> > On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
> > > > nftables-0.9.6
> > > >
> > > > I'm running a VOIP server. There are lots of script kiddies who will bang
> > > > away with 10/sec SIP INVITES or REGISTERS .
> > > >
> > > > In iptables you can match on the string:
> > > >
> > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
> > > > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
> > > > SIPINVITE
> > > >
> > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
> > > > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
> > > > SIPREGISTER
> > > >
> > > > I'm looking at RAW to do the same:
> > >
> > > nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
> > >
> > > @th => transport header
> > > 64 => from bit number 64 (8 bytes after the UDP header)
> > > 48 => extract 48 bits (6 bytes for INVITE)
> >
> > @th,offset,length
> >
> > where offset and length are expressed in bits.
> >
> Thanks for the response.
>
> I corrected it , but it didn't work:
>
> nft list chain filter raw
> table ip filter {
> chain raw {
> type filter hook prerouting priority raw; policy accept;
> udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0
> udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0
This should be:
@th,64,48 0x494e56495445 counter
you specify offset to 184, that does not look fine.
If you want to match INVITE right after the UDP header, in the initial
6 bytes of the payload, then offset is 64 bits give that UDP header is
8 bytes (64 bits).
Note that @th specifies that the offset is relative to the transport
header offset. Similarly, @nh specifies the offset relative to the
network header.
I tried it here with nc -u and sending the string INVITE and it works
fine.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES
2020-09-27 20:59 ` Pablo Neira Ayuso
@ 2020-09-28 18:09 ` sean darcy
0 siblings, 0 replies; 10+ messages in thread
From: sean darcy @ 2020-09-28 18:09 UTC (permalink / raw)
To: netfilter
On 9/27/20 4:59 PM, Pablo Neira Ayuso wrote:
> On Sun, Sep 27, 2020 at 11:42:08AM -0400, sean darcy wrote:
>> On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote:
>>> On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote:
>>>> On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote:
>>>>> nftables-0.9.6
>>>>>
>>>>> I'm running a VOIP server. There are lots of script kiddies who will bang
>>>>> away with 10/sec SIP INVITES or REGISTERS .
>>>>>
>>>>> In iptables you can match on the string:
>>>>>
>>>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE"
>>>>> --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j
>>>>> SIPINVITE
>>>>>
>>>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER"
>>>>> --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j
>>>>> SIPREGISTER
>>>>>
>>>>> I'm looking at RAW to do the same:
>>>>
>>>> nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter
>>>>
>>>> @th => transport header
>>>> 64 => from bit number 64 (8 bytes after the UDP header)
>>>> 48 => extract 48 bits (6 bytes for INVITE)
>>>
>>> @th,offset,length
>>>
>>> where offset and length are expressed in bits.
>>>
>> Thanks for the response.
>>
>> I corrected it , but it didn't work:
>>
>> nft list chain filter raw
>> table ip filter {
>> chain raw {
>> type filter hook prerouting priority raw; policy accept;
>> udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0
>> udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0
>
> This should be:
> @th,64,48 0x494e56495445 counter
>
> you specify offset to 184, that does not look fine.
>
> If you want to match INVITE right after the UDP header, in the initial
> 6 bytes of the payload, then offset is 64 bits give that UDP header is
> 8 bytes (64 bits).
>
> Note that @th specifies that the offset is relative to the transport
> header offset. Similarly, @nh specifies the offset relative to the
> network header.
>
> I tried it here with nc -u and sending the string INVITE and it works
> fine.
>
It's working. Thanks for all the quick and responsive help.
For those who find this exchange, and are as clueless as I am about bit
counting network packets, and the differences between link layer,
network header, and transport header:
table ip filter {
chain raw {
type filter hook prerouting priority raw; policy accept;
udp dport 5060 @th,64,48 80600803923013 counter packets 221 bytes 162020
udp dport 5060 @th,64,64 5928222864759342418 counter packets 67 bytes
39671
udp dport 5060 @ll,336,48 80600803923013 counter packets 221 bytes 162020
udp dport 5060 @ll,336,64 5928222864759342418 counter packets 67 bytes
39671
udp dport 5060 @nh,224,48 80600803923013 counter packets 221 bytes
162020 drop
udp dport 5060 @nh,224,64 5928222864759342418 counter packets 67 bytes
39671 drop
}
}
I repeat my suggestion that "nft list" show the pattern to be matched in
hex, as it is in the command.
sean
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-09-28 18:09 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-26 19:10 rate limit SIP INVITES sean darcy
2020-09-26 20:26 ` sean darcy
2020-09-26 20:34 ` sean darcy
2020-09-26 20:45 ` sean darcy
2020-09-27 13:54 ` Pablo Neira Ayuso
2020-09-27 14:03 ` Pablo Neira Ayuso
2020-09-27 15:42 ` sean darcy
2020-09-27 19:12 ` Florian Westphal
2020-09-27 20:59 ` Pablo Neira Ayuso
2020-09-28 18:09 ` sean darcy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.