* Both { tcp, udp} in meta vmap
@ 2021-11-19 0:44 Matt Zagrabelny
2021-11-19 9:02 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Matt Zagrabelny @ 2021-11-19 0:44 UTC (permalink / raw)
To: netfilter
Greetings,
I have the following rules:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
ct state vmap { invalid : drop, established : accept,
related : accept }
tcp dport { 1812, 1813 } meta protocol vmap { ip :
jump radius_ipv4, ip6 : jump radius_ipv6 }
}
# contrived chains...
chain radius_ipv4 {
ip saddr { 127.0.0.0/8, } accept
}
chain radius_ipv6 {
ip6 saddr { ::1 } accept
}
}
I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
dport { 1812, 1813 }", but I'm getting the error:
Error: syntax error, unexpected dport
Nov 18 18:14:52 localhost nft[5816]: { tcp, udp } dport { 1812, 1813 }
meta protocol vmap {
I see in the man page under the "RAW PAYLOAD EXPRESSION" there exists
the idea of giving a list or protocols...
Matching destination port of both UDP and TCP.
inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
The above can also be written as
inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
Is what I'm trying to do solvable with meta and vmap in one rule, or
should I just create two meta vmap rules?
Thanks for helping me learn and use nftables.
Cheers,
-m
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Both { tcp, udp} in meta vmap
2021-11-19 0:44 Both { tcp, udp} in meta vmap Matt Zagrabelny
@ 2021-11-19 9:02 ` Pablo Neira Ayuso
2021-11-21 2:46 ` Matt Zagrabelny
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-11-19 9:02 UTC (permalink / raw)
To: Matt Zagrabelny; +Cc: netfilter
On Thu, Nov 18, 2021 at 06:44:22PM -0600, Matt Zagrabelny wrote:
> Greetings,
>
> I have the following rules:
>
> table inet filter {
> chain input {
> type filter hook input priority 0; policy drop;
> ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
> nd-neighbor-solicit, nd-neighbor-advert } accept
Replace 'ip6 nexthdr ipv6-icmp icmpv6 type' by 'icmpv6 type' is just fine.
Please have a look at this, there is a note specifically on matching
icmpv6 traffic:
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
> ct state vmap { invalid : drop, established : accept,
> related : accept }
> tcp dport { 1812, 1813 } meta protocol vmap { ip :
> jump radius_ipv4, ip6 : jump radius_ipv6 }
> }
>
> # contrived chains...
> chain radius_ipv4 {
> ip saddr { 127.0.0.0/8, } accept
> }
>
> chain radius_ipv6 {
> ip6 saddr { ::1 } accept
> }
> }
>
> I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
> dport { 1812, 1813 }", but I'm getting the error [...]
Use:
... meta l4proto { tcp, udp } th dport { 1812, 1813 }
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Both { tcp, udp} in meta vmap
2021-11-19 9:02 ` Pablo Neira Ayuso
@ 2021-11-21 2:46 ` Matt Zagrabelny
0 siblings, 0 replies; 3+ messages in thread
From: Matt Zagrabelny @ 2021-11-21 2:46 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hey Pablo...
On Fri, Nov 19, 2021 at 3:02 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Nov 18, 2021 at 06:44:22PM -0600, Matt Zagrabelny wrote:
> > Greetings,
> >
> > I have the following rules:
> >
> > table inet filter {
> > chain input {
> > type filter hook input priority 0; policy drop;
> > ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
> > nd-neighbor-solicit, nd-neighbor-advert } accept
>
> Replace 'ip6 nexthdr ipv6-icmp icmpv6 type' by 'icmpv6 type' is just fine.
> Please have a look at this, there is a note specifically on matching
> icmpv6 traffic:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
Thanks for the tip. I'll submit a bug to the Debian package to get the
documentation updated to reflect the above.
>
> > ct state vmap { invalid : drop, established : accept,
> > related : accept }
> > tcp dport { 1812, 1813 } meta protocol vmap { ip :
> > jump radius_ipv4, ip6 : jump radius_ipv6 }
> > }
> >
> > # contrived chains...
> > chain radius_ipv4 {
> > ip saddr { 127.0.0.0/8, } accept
> > }
> >
> > chain radius_ipv6 {
> > ip6 saddr { ::1 } accept
> > }
> > }
> >
> > I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
> > dport { 1812, 1813 }", but I'm getting the error [...]
>
> Use:
>
> ... meta l4proto { tcp, udp } th dport { 1812, 1813 }
Makes sense. Thanks again for the help!
-m
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-21 2:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-19 0:44 Both { tcp, udp} in meta vmap Matt Zagrabelny
2021-11-19 9:02 ` Pablo Neira Ayuso
2021-11-21 2:46 ` Matt Zagrabelny
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.