All of lore.kernel.org
 help / color / mirror / Atom feed
* Both { tcp, udp} in meta vmap
@ 2021-11-19  0:44 Matt Zagrabelny
  2021-11-19  9:02 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Matt Zagrabelny @ 2021-11-19  0:44 UTC (permalink / raw)
  To: netfilter

Greetings,

I have the following rules:

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
                ct state vmap { invalid : drop, established : accept,
related : accept }
                tcp dport { 1812, 1813 } meta protocol vmap { ip :
jump radius_ipv4, ip6 : jump radius_ipv6 }
        }

        # contrived chains...
        chain radius_ipv4 {
                ip saddr { 127.0.0.0/8, } accept
        }

        chain radius_ipv6 {
                ip6 saddr { ::1 } accept
        }
}

I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
dport { 1812, 1813 }", but I'm getting the error:

Error: syntax error, unexpected dport
Nov 18 18:14:52 localhost nft[5816]: { tcp, udp } dport { 1812, 1813 }
meta protocol vmap {

I see in the man page under the "RAW PAYLOAD EXPRESSION" there exists
the idea of giving a list or protocols...

       Matching destination port of both UDP and TCP.

           inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }

       The above can also be written as

           inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }

Is what I'm trying to do solvable with meta and vmap in one rule, or
should I just create two meta vmap rules?

Thanks for helping me learn and use nftables.

Cheers,

-m

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Both { tcp, udp} in meta vmap
  2021-11-19  0:44 Both { tcp, udp} in meta vmap Matt Zagrabelny
@ 2021-11-19  9:02 ` Pablo Neira Ayuso
  2021-11-21  2:46   ` Matt Zagrabelny
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-11-19  9:02 UTC (permalink / raw)
  To: Matt Zagrabelny; +Cc: netfilter

On Thu, Nov 18, 2021 at 06:44:22PM -0600, Matt Zagrabelny wrote:
> Greetings,
> 
> I have the following rules:
> 
> table inet filter {
>         chain input {
>                 type filter hook input priority 0; policy drop;
>                 ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
> nd-neighbor-solicit, nd-neighbor-advert } accept

Replace 'ip6 nexthdr ipv6-icmp icmpv6 type' by 'icmpv6 type' is just fine.
Please have a look at this, there is a note specifically on matching
icmpv6 traffic:

https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers

>                 ct state vmap { invalid : drop, established : accept,
> related : accept }
>                 tcp dport { 1812, 1813 } meta protocol vmap { ip :
> jump radius_ipv4, ip6 : jump radius_ipv6 }
>         }
> 
>         # contrived chains...
>         chain radius_ipv4 {
>                 ip saddr { 127.0.0.0/8, } accept
>         }
> 
>         chain radius_ipv6 {
>                 ip6 saddr { ::1 } accept
>         }
> }
> 
> I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
> dport { 1812, 1813 }", but I'm getting the error [...]

Use:

        ... meta l4proto { tcp, udp } th dport { 1812, 1813 }

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Both { tcp, udp} in meta vmap
  2021-11-19  9:02 ` Pablo Neira Ayuso
@ 2021-11-21  2:46   ` Matt Zagrabelny
  0 siblings, 0 replies; 3+ messages in thread
From: Matt Zagrabelny @ 2021-11-21  2:46 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter

Hey Pablo...

On Fri, Nov 19, 2021 at 3:02 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Nov 18, 2021 at 06:44:22PM -0600, Matt Zagrabelny wrote:
> > Greetings,
> >
> > I have the following rules:
> >
> > table inet filter {
> >         chain input {
> >                 type filter hook input priority 0; policy drop;
> >                 ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
> > nd-neighbor-solicit, nd-neighbor-advert } accept
>
> Replace 'ip6 nexthdr ipv6-icmp icmpv6 type' by 'icmpv6 type' is just fine.
> Please have a look at this, there is a note specifically on matching
> icmpv6 traffic:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers

Thanks for the tip. I'll submit a bug to the Debian package to get the
documentation updated to reflect the above.

>
> >                 ct state vmap { invalid : drop, established : accept,
> > related : accept }
> >                 tcp dport { 1812, 1813 } meta protocol vmap { ip :
> > jump radius_ipv4, ip6 : jump radius_ipv6 }
> >         }
> >
> >         # contrived chains...
> >         chain radius_ipv4 {
> >                 ip saddr { 127.0.0.0/8, } accept
> >         }
> >
> >         chain radius_ipv6 {
> >                 ip6 saddr { ::1 } accept
> >         }
> > }
> >
> > I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
> > dport { 1812, 1813 }", but I'm getting the error [...]
>
> Use:
>
>         ... meta l4proto { tcp, udp } th dport { 1812, 1813 }

Makes sense. Thanks again for the help!

-m

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-21  2:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-19  0:44 Both { tcp, udp} in meta vmap Matt Zagrabelny
2021-11-19  9:02 ` Pablo Neira Ayuso
2021-11-21  2:46   ` Matt Zagrabelny

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.