Re: nftables: origin sport after dstnat

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aaron Fischer <mail@aaron-fischer.net>
To: netfilter@vger.kernel.org
Subject: Re: nftables: origin sport after dstnat
Date: Thu, 8 Dec 2022 00:31:59 +0100	[thread overview]
Message-ID: <20221208003159.3bc95cfc@deskFu> (raw)
In-Reply-To: <20221207112900.GA28507@breakpoint.cc>

[-- Attachment #1: Type: text/plain, Size: 1251 bytes --]

On Wed, 7 Dec 2022 12:29:00 +0100 Florian Westphal <fw@strlen.de> wrote:
> Aaron Fischer <mail@aaron-fischer.net> wrote:
> > Is there a way to somehow access the origin sport (8448 in my
> > case), so I can filter for it in the FORWARD chain?  
> 
> Yes, the original addresses are stored in conntrack: 'ct original
> proto-src 8448'

Thank you for this valuable hint! I've tested it with this bare minimum
config:

alpine-test:/etc# cat nft-ct.nft 
#!/usr/sbin/nft -f

flush ruleset

table ip filter {
    chain INPUT {
        type filter hook input priority filter
        policy accept
    }

    chain FORWARD {
        type filter hook forward priority filter
        policy drop
        ct original proto-src 8448 accept
    }
}

But the config seems invalid:

alpine-test:/etc# nft -c -f /etc/nft-ct.nft 
/etc/nft-ct.nft:14:31-34: Error: Can't parse symbolic invalid
expressions ct original proto-src 8448 accept
                                  ^^^^

Not sure why. Various examples and the man page also show it that way
you mentioned. The sourcecode gives me not much more insight how the
syntax should be. Why is 8448 an "invalid" type?

I use the latest version of the nft tool (v1.0.5).

Aaron

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2022-12-07 23:31 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-06 22:03 nftables: origin sport after dstnat Aaron Fischer
2022-12-07 11:29 ` Florian Westphal
2022-12-07 23:31   ` Aaron Fischer [this message]
2022-12-08  7:48     ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221208003159.3bc95cfc@deskFu \
    --to=mail@aaron-fischer.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.