Masquerading with selectively open ports -- nftables

Masquerading with selectively open ports -- nftables

[Johannes Ernst]

My box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting to set it up as a router with NAT, and selective port openings: enp2s0 is supposed to have the ssh port open, while enp3s0 also gets to have http, https, dhcp and dns open so I can run Apache and dnsmasq on it for users on the LAN.

Ideally I'm looking for a full example that will work if I execute 'nft -f' with it. (Pretty much all related nftables examples I find seem to leave out crucial bits.)

Here is what I have so far:

table inet filter {
  chain input { # this chain serves as a dispatcher
    type filter hook input priority 0;

    iifname lo accept # always accept loopback
    iifname enp2s0 jump input_enp2s0
    iifname enp3s0 jump input_enp3s0

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
   }
  chain input_enp2s0 {
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    reject with icmp type port-unreachable # all other traffic
  }

  chain input_enp3s0 {
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    tcp port http accept
    tcp port https accept
    # and a few others
    reject with icmp type port-unreachable # all other traffic
  }

  chain ouput { # for now, we let everything out
    type filter hook output priority 0;
    accept
  }
}

Now I’m attempting to add masquerading, and I’m failing:
> nft add table nat
> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> nft add rule nat postrouting masquerade
<cmdline>:1:1-35: Error: Could not process rule: No such file or directory
add rule nat postrouting masquerade
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1. This is copied straight from the wiki [1]. What am I doing wrong?

2. Even if this command worked, how do I properly integrate it into the rest of my tables/rules?

I’m on Arch x86_64, nftables 0.5.

Thanks,



Johannes.


[1] http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

Re: Masquerading with selectively open ports -- nftables

[Pablo Neira Ayuso]

On Wed, Oct 28, 2015 at 10:14:35AM -0700, Johannes Ernst wrote:
> My box has two interfaces (enp2s0, upstream to ISP with DHCP) and
> (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting
> to set it up as a router with NAT, and selective port openings:
> enp2s0 is supposed to have the ssh port open, while enp3s0 also gets
> to have http, https, dhcp and dns open so I can run Apache and
> dnsmasq on it for users on the LAN.
> 
> Ideally I'm looking for a full example that will work if I execute
> 'nft -f' with it. (Pretty much all related nftables examples I find
> seem to leave out crucial bits.)

You can probably contribute these examples to the wiki. Or I'd be
happy to get more or less generic scripts as examples that we can
place in the wiki.

Otherwise, I'll try to find time to add this myself.

> Now I’m attempting to add masquerading, and I’m failing:
> > nft add table nat
> > nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> > nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> > nft add rule nat postrouting masquerade
> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
> add rule nat postrouting masquerade
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 1. This is copied straight from the wiki [1]. What am I doing wrong?

The lines above work fine here.

Masquerading was added in 3.18, what kernel version are you using?

http://wiki.nftables.org/wiki-nftables/index.php/List_of_updates_since_Linux_kernel_3.13

Moreover, make sure you also compiled masquerading support for nf_tables:

CONFIG_NFT_MASQ=m

Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

> On Oct 28, 2015, at 16:15, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> 
> You can probably contribute these examples to the wiki. Or I'd be
> happy to get more or less generic scripts as examples that we can
> place in the wiki.

Once I figured out how to do what I want to do, I will definitely put it somewhere where others can find it.

>> Now I’m attempting to add masquerading, and I’m failing:
>>> nft add table nat
>>> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>>> nft add rule nat postrouting masquerade
>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
>> add rule nat postrouting masquerade
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> 
>> 1. This is copied straight from the wiki [1]. What am I doing wrong?
> 
> The lines above work fine here.
> 
> Masquerading was added in 3.18, what kernel version are you using?

I’m on Arch, Linux 4.2.2 or thereabouts.

> Moreover, make sure you also compiled masquerading support for nf_tables:
> 
> CONFIG_NFT_MASQ=m

Ahh, that might be it. The Arch build script is here [2] and I don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile tomorrow and see where that leads us.

The other thing I’m still missing is where to attach the masquerade keyword. Is it on the incoming or outgoing interface or automagic? E.g. if my box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment), do I need to say something like “iifname enp2s0 masquerade”?

Also, the example has a separate table ‘nat’. Can I just put the nat chain into my inet filter table, or does this have to be a separate table?

Thank you!


Johannes.

[2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/nftables

Re: Masquerading with selectively open ports -- nftables

[Arturo Borrero Gonzalez]

On 29 October 2015 at 05:51, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>> On Oct 28, 2015, at 16:15, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>
>> You can probably contribute these examples to the wiki. Or I'd be
>> happy to get more or less generic scripts as examples that we can
>> place in the wiki.
>
> Once I figured out how to do what I want to do, I will definitely put it somewhere where others can find it.
>
>>> Now I’m attempting to add masquerading, and I’m failing:
>>>> nft add table nat
>>>> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
>>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>>>> nft add rule nat postrouting masquerade
>>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
>>> add rule nat postrouting masquerade
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>
>>> 1. This is copied straight from the wiki [1]. What am I doing wrong?
>>
>> The lines above work fine here.
>>
>> Masquerading was added in 3.18, what kernel version are you using?
>
> I’m on Arch, Linux 4.2.2 or thereabouts.
>
>> Moreover, make sure you also compiled masquerading support for nf_tables:
>>
>> CONFIG_NFT_MASQ=m
>
> Ahh, that might be it. The Arch build script is here [2] and I don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile tomorrow and see where that leads us.
>

this config option is from the linux kernel, for example:

% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m


> The other thing I’m still missing is where to attach the masquerade keyword. Is it on the incoming or outgoing interface or automagic? E.g. if my box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment), do I need to say something like “iifname enp2s0 masquerade”?
>

masquerading is a kind of source NAT, so only works in the output
path. In think you need this: 'oifname enp2s0 masquerade' in the nat
postrouting chain.

> Also, the example has a separate table ‘nat’. Can I just put the nat chain into my inet filter table, or does this have to be a separate table?
>

In nftables tables has no special semantic apart of storing chains.
Beware of families however, I doubt the inet family can hold NAT
stuff.

-- 
Arturo Borrero González

Re: Masquerading with selectively open ports -- nftables

[Pablo Neira Ayuso]

On Thu, Oct 29, 2015 at 09:11:03AM +0100, Arturo Borrero Gonzalez wrote:
> On 29 October 2015 at 05:51, Johannes Ernst <johannes.ernst@gmail.com> wrote:
> >> On Oct 28, 2015, at 16:15, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
[...]
> >> Moreover, make sure you also compiled masquerading support for nf_tables:
> >>
> >> CONFIG_NFT_MASQ=m
> >
> > Ahh, that might be it. The Arch build script is here [2] and I
> > don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile
> > tomorrow and see where that leads us.
> >
> 
> this config option is from the linux kernel, for example:
> 
> % grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
> CONFIG_NFT_EXTHDR=m
> CONFIG_NFT_META=m
> CONFIG_NFT_CT=m
> CONFIG_NFT_RBTREE=m
> CONFIG_NFT_HASH=m
> CONFIG_NFT_COUNTER=m
> CONFIG_NFT_LOG=m
> CONFIG_NFT_LIMIT=m
> CONFIG_NFT_MASQ=m
> CONFIG_NFT_REDIR=m
> CONFIG_NFT_NAT=m
> CONFIG_NFT_QUEUE=m
> CONFIG_NFT_REJECT=m
> CONFIG_NFT_REJECT_INET=m
> CONFIG_NFT_COMPAT=m
> CONFIG_NFT_CHAIN_ROUTE_IPV4=m
> CONFIG_NFT_REJECT_IPV4=m
> CONFIG_NFT_CHAIN_NAT_IPV4=m
> CONFIG_NFT_MASQ_IPV4=m
> # CONFIG_NFT_REDIR_IPV4 is not set
> CONFIG_NFT_CHAIN_ROUTE_IPV6=m
> CONFIG_NFT_REJECT_IPV6=m
> CONFIG_NFT_CHAIN_NAT_IPV6=m
> CONFIG_NFT_MASQ_IPV6=m
> # CONFIG_NFT_REDIR_IPV6 is not set
> CONFIG_NFT_BRIDGE_META=m
> CONFIG_NFT_BRIDGE_REJECT=m

It would be good to have a sort of "compiling nf_tables kernel
support" on the wiki, in case anyone finds the time to contribute it.
We can use what Eric Leblond wrote time ago on his quick howto and
update it.

[...]
> In nftables tables has no special semantic apart of storing chains.
> Beware of families however, I doubt the inet family can hold NAT
> stuff.

I confirm this: We have no nat table for inet, only filter.

Re: Masquerading with selectively open ports -- nftables

[Arturo Borrero Gonzalez]

On 29 October 2015 at 20:55, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> It would be good to have a sort of "compiling nf_tables kernel
> support" on the wiki, in case anyone finds the time to contribute it.
>

Hi Pablo,

I added a bit more info to the wiki. Would you like to review it?

I added hints about checking the kernel configuration [0] and some
pointers to distributor's nftables as well [1].

[0] http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
[1] http://wiki.nftables.org/wiki-nftables/index.php/Nftables_from_distributions

-- 
Arturo Borrero Gonz√°lez

Re: Masquerading with selectively open ports -- nftables

[Pablo Neira Ayuso]

On Fri, Oct 30, 2015 at 11:50:20AM +0100, Arturo Borrero Gonzalez wrote:
> On 29 October 2015 at 20:55, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > It would be good to have a sort of "compiling nf_tables kernel
> > support" on the wiki, in case anyone finds the time to contribute it.
> >
> 
> Hi Pablo,
> 
> I added a bit more info to the wiki. Would you like to review it?
>
> I added hints about checking the kernel configuration [0] and some
> pointers to distributor's nftables as well [1].
> 
> [0] http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
> [1] http://wiki.nftables.org/wiki-nftables/index.php/Nftables_from_distributions

This looks very good at quick glance.

Thanks Arturo!

Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

>> [0] http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources

This:
> grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64

seems to be distro-specific. E.g. on Arch, I don’t have such a file containing kernel config options at runtime. I’d add a note to the wiki, but I don’t know which distro does this.

Thanks,



Johannes.

Re: Masquerading with selectively open ports -- nftables

[Arturo Borrero Gonzalez]

On 30 October 2015 at 19:25, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>>> [0] http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
>
> This:
>> grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
>
> seems to be distro-specific. E.g. on Arch, I don’t have such a file containing kernel config options at runtime. I’d add a note to the wiki, but I don’t know which distro does this.
>

Yeah that was an example on Debian.

In Arch it seems you can look in /proc/config.gz
-- 
Arturo Borrero González

Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

> On Oct 30, 2015, at 11:27, Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> wrote:
> 
> On 30 October 2015 at 19:25, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>>>> [0] http://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
>> 
>> This:
>>> grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
>> 
>> seems to be distro-specific. E.g. on Arch, I don’t have such a file containing kernel config options at runtime. I’d add a note to the wiki, but I don’t know which distro does this.
>> 
> 
> Yeah that was an example on Debian.
> 
> In Arch it seems you can look in /proc/config.gz

I added a note to the wiki.

Cheers,


Johannes.

Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

Kernel modules are ok now, but I can’t get “out” from my LAN via masquerade if I say 'oifname enp2s0 masquerade'.

It does seem to work without the oifname. But how does nftables decide which of the interfaces need to be masqueraded if I don’t provide such a conditional?

This is what I have:

enp2s0: 192.168.138.125 (towards ‘upstream’)
enp3s0: 192.168.150.1 (‘LAN’)

> nft list tables
table ip nat
> nft list table ip nat
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }
  chain postrouting {
    type nat hook postrouting priority 0; policy accept;
    oifname “enp2s0” masquerade
  }
}

My ‘LAN’ test machine has 192.168.150.239. It can ping 192.168.150.1 and 192.168.138.125, but nothing further upstream.

My ‘gateway’ can ping upstream and the LAN test machine.

Again, it seems to work if I drop the 'oifname “enp2s0”' in front of the masquerade.

Thanks,



Johannes.

Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

>>> CONFIG_NFT_MASQ=m
>> 
>> Ahh, that might be it. The Arch build script is here [2] and I don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile tomorrow and see where that leads us.
> 
> this config option is from the linux kernel, 

Sorry, my bad, should have recognized that. Turns out that I have another Arch box in which the masquerade keyword does not produce an error. Looks like different kernel modules are being loaded. While I’m investigating, I’m noticing that Arch does use slightly different options for its default kernel, specifically:

CONFIG_NFT_REDIR_IPV4=m
CONFIG_NFT_MASQ_IPV6=m

are both set (compared to the list sent by Arturo). I do not know what those mean, but I assume they won’t hurt?

Cheers,



Johannes.

kernel modules: was Re: Masquerading with selectively open ports -- nftables

[Johannes Ernst]

On 29 October 2015 at 05:51, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>>>>> nft add rule nat postrouting masquerade
>>>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
>>>> add rule nat postrouting masquerade
>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> 
>>>> 1. This is copied straight from the wiki [1]. What am I doing wrong?

I fixed it. Apparently kernel module nft_masq_ipv4 (and some dependencies) hadn’t been loaded. (I don’t know why.)

Q: What do I have to do about kernel module loading? Is that automatic, or do I need to do something manually? (e.g. with /etc/modules-load.d/) This [1] seems to imply I have to do it manually.

Thanks,




Johannes.

[1] https://home.regit.org/netfilter-en/nftables-quick-howto/

Re: kernel modules: was Re: Masquerading with selectively open ports -- nftables

[Pablo Neira Ayuso]

On Thu, Oct 29, 2015 at 04:48:52PM -0700, Johannes Ernst wrote:
> On 29 October 2015 at 05:51, Johannes Ernst <johannes.ernst@gmail.com> wrote:
> >>>>> nft add rule nat postrouting masquerade
> >>>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
> >>>> add rule nat postrouting masquerade
> >>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>> 
> >>>> 1. This is copied straight from the wiki [1]. What am I doing wrong?
> 
> I fixed it. Apparently kernel module nft_masq_ipv4 (and some
> dependencies) hadn’t been loaded. (I don’t know why.)
> 
> Q: What do I have to do about kernel module loading? Is that
> automatic, or do I need to do something manually? (e.g. with
> /etc/modules-load.d/) This [1] seems to imply I have to do it
> manually.

It should be automatic, other than that it's a bug that it would be
good to report.

Thanks.

Re: Masquerading with selectively open ports -- nftables

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 3486 bytes --]

Hi!

I thought I'd help point to a typo in the Nftables Archlinux Wiki
related to this trailblazer ;-) thread.

If I understand correctly, Johannes Ernst is the main contributor of
that wiki. BTW, a superb tutorial!

In short:

file:///Cmn/dLo/Nft/nftables-ArchWiki.htm#Practical_examples

Different rules for different interfaces

is:

    tcp port http accept
    tcp port https accept

but there ought to be:

    tcp port http accept
    tcp port https accept

And then only the example works, as I showed in my Gentoo Forums topic:

A Firewalled Internet Access to Internal Subnet
https://forums.gentoo.org/viewtopic-t-1041028.html#7897320

On 151028-10:14-0700, Johannes Ernst wrote:
> My box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting to set it up as a router with NAT, and selective port openings: enp2s0 is supposed to have the ssh port open, while enp3s0 also gets to have http, https, dhcp and dns open so I can run Apache and dnsmasq on it for users on the LAN.
> 
> Ideally I'm looking for a full example that will work if I execute 'nft -f' with it. (Pretty much all related nftables examples I find seem to leave out crucial bits.)
> 
> Here is what I have so far:
> 
> table inet filter {
>   chain input { # this chain serves as a dispatcher
>     type filter hook input priority 0;
> 
>     iifname lo accept # always accept loopback
>     iifname enp2s0 jump input_enp2s0
>     iifname enp3s0 jump input_enp3s0
> 
>     reject with icmp type port-unreachable # refuse traffic from all other interfaces
>    }
>   chain input_enp2s0 {
>     ct state {established,related} accept
>     ct state invalid drop
>     udp dport bootpc accept
>     tcp dport bootpc accept
>     reject with icmp type port-unreachable # all other traffic
>   }
> 
>   chain input_enp3s0 {
>     ct state {established,related} accept
>     ct state invalid drop
>     udp dport bootpc accept
>     tcp dport bootpc accept
>     tcp port http accept
>     tcp port https accept
>     # and a few others
>     reject with icmp type port-unreachable # all other traffic
>   }
> 
>   chain ouput { # for now, we let everything out
>     type filter hook output priority 0;
>     accept
>   }
> }
> 
> Now I’m attempting to add masquerading, and I’m failing:
> > nft add table nat
> > nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> > nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> > nft add rule nat postrouting masquerade
> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
> add rule nat postrouting masquerade
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 1. This is copied straight from the wiki [1]. What am I doing wrong?
> 
> 2. Even if this command worked, how do I properly integrate it into the rest of my tables/rules?
> 
> I’m on Arch x86_64, nftables 0.5.
> 
> Thanks,
> 
> 
> 
> Johannes.
> 
> 
> [1] http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Happy upcoming Easter to all!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Masquerading with selectively open ports -- nftables

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 700 bytes --]


The text in my previous mail
(
http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.general/48565
)

about the typo in Nftables Archlinux Wiki should have read (notice the
dport, twice):

https://wiki.archlinux.org/index.php/Nftables#Practical_examples

Different rules for different interfaces

is:

    tcp port http accept
    tcp port https accept

but there ought to be:

    tcp dport http accept
    tcp dport https accept

And then only the example works, as I showed in my Gentoo Forums topic:

A Firewalled Internet Access to Internal Subnet
https://forums.gentoo.org/viewtopic-t-1041028.html#7897320

as Neal P. Murphy pointed out to me in private email. Thanks, and sorry.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]