Re: nftables and FTP connection tracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: tomekx1000 <tomekx1000@lutel.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables and FTP connection tracking
Date: Thu, 14 Aug 2014 20:02:05 +0200	[thread overview]
Message-ID: <20140814180205.GA5928@salvia> (raw)
In-Reply-To: <4ae8314bdfec48fe944b03977bb140ff@lutel.pl>

On Thu, Aug 14, 2014 at 11:29:57AM +0200, tomekx1000 wrote:
> Dear All,
> 
> Could you have a look at my simple nft firewall script below, I've
> used ct related, established, but it doesnt work with passive mode
> FTP - the data session on high ports is dropped by firewall. Does
> NFTables have connection tracking helper for FTP?

Yes, no changes in that regard.

> If not - is it planned in foreseable future to add it?
> 
> table ip filter {
>  chain input {
>  type filter hook input priority 0;
>  dport {21} ct state new limit rate 2/second counter accept

The brackets have special meaning. If you uses brackets to wrap
elements, the kernel will create a set for it with one single element.
Better use the brackets when you have multiple elements. In this case,
I suggest you to use:

   tcp dport 21 ...

>  ct state {established, related} counter accept
            ^                    ^

No need to use the brackets here:

   ct state established,related ...

The ct state allows enumeration of several states using commas. This
is due to the fact that ct state internally represents the states as a
bitmask.

You can check that use the describe command:

# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask,
integer), 32 bits

pre-defined symbolic constants:
        invalid                         0x00000001
        new                             0x00000008
        established                     0x00000002
        related                         0x00000004
        untracked                       0x00000040

Basically, all bitmask types can use the comma-separated enumeration
notation to combine the supported flags.

You can use describe to inquire for other selectors in case of doubt.

next prev parent reply	other threads:[~2014-08-14 18:02 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-14  9:29 nftables and FTP connection tracking tomekx1000
2014-08-14 18:02 ` Pablo Neira Ayuso [this message]
2014-08-14 18:38   ` tomekx1000
  -- strict thread matches above, loose matches on Subject: below --
2014-08-13 12:56 Tomek L
2014-08-13 10:30 Tomek L

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140814180205.GA5928@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter@vger.kernel.org \
    --cc=tomekx1000@lutel.pl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.