prefix len confusion

[Randy Bush <randy@psg.com>]

[ old dog but new to this list.  apologies for fleas ]

amd64 hardware, not vm
debian 13, very current
nftables v1.1.3 (Commodore Bullmoose #4)

tl;dr:
  o ipv4 ssh dict attacker getting through
  o i am not an nftables guru; but a few of this have stared at this
    for many days
  o do i not understand cidr prefix notation?

essentially, i am seeing the traditional ssh dict attcak to
42.642.11.82, when i think i am filtering 42.642.11.80/30, which should
cover 42.642.11.82

the attack sources, at least as logged, are not within the allowed $JUMP
or other allow lists

the equivalent of this is happening in more than one pop

here is an anonymized copy of `/etc/nftables.conf`.  i hope the ip addy
mangling did not screw things up.  sorry for the length.

randy

#!/usr/sbin/nft -f

flush ruleset

define IFACE = enp4s0f1

define JUMP4 = {
    42.666.0.0/23,
    42.642.11.0/24,
    42.642.12.0/24
}

define JUMP6 = {
    2001:841:1::0/48,
    2001:841:3806::0/48,
    2001:841:8006::0/48
    }

define EXTv4 = {
    250.12.129.20/30, 
    238.224.157.204/30
}

define EXTv6 = {
    2001:841:3800:5000::20/126,
    2001:841:3800:5000::/126
}

define INTv4 = {
    42.642.11.0/24,
    250.12.129.20/30,
    238.224.157.204/30
}

define INTv6 = {
    2001:841:7830::0/48,
    2001:841:3800:5000::20/126, # NTT
    2001:841:3800:5000::/126    # NTT
}

define BOGONS4 = {
    42.642.11.0/24,
    10.0.0.0/8,
    127.0.0.0/8,
    172.16.0.0/12,
    192.168.0.0/16,
    169.254.0.0/16
}

define BOGONS6 = {
    ::/128,
    ::1/128,
    ::ffff:0:0/96,
    ::/96,
    100::/64,
    2001:10::/28,
    2001:db8::/32,
    3fff::/20,
    fc00::/7,
    fe80::/10,
    fec0::/10,
    ff00::/8
    }

define SNMP = {
    250.32.129.0/24,
    250.42.129.0/26,
    42.642.11.9,
    42.642.11.17
}

define VULN4 = {
    42.642.11.34/31,
    42.642.11.36/31,
    42.642.11.40/29,
    42.642.11.48/29,
    42.642.11.80/30   # <<<====
}

define PROX4 = {
    42.642.11.30/31,
    42.642.11.32/32
    }
    
define PROX6 = {
    2001:841:7830::30/127,
    2001:841:7830::32/128
    }

table ip filter {
    chain forward {
        type filter hook forward priority filter;
        iifname "lo" accept
        ip protocol icmp accept
        iifname $IFACE goto wan-in
        # so is LAN
        ip saddr $INTv4 accept
        drop
    }
    chain wan-in {
        ip saddr $BOGONS4 drop
        ip protocol icmp accept
        ip saddr $JUMP4 accept
        ip saddr $EXTv4 accept
        tcp dport 8006 ip daddr $PROX4 drop   # block proxmox web login
        ip daddr $VULN4 drop
        udp dport snmp ip saddr $SNMP accept
        tcp dport snmp ip saddr $SNMP accept
        udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 11211 } drop
        tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 11211 } drop
        accept
    }
}

table ip6 filter {
    chain forward {
        type filter hook forward priority filter;
        iifname "lo" accept
        ip6 nexthdr icmpv6 accept
        iifname $IFACE goto wan-in
        # so is LAN
        ip6 saddr $INTv6 accept
        drop
    }
    chain wan-in {
        ip6 saddr $BOGONS6 drop
        ip6 nexthdr icmpv6 accept
        ip6 saddr $JUMP6 accept
        ip6 saddr $EXTv6 accept
        tcp dport 8006 ip6 daddr $PROX6 drop
        udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop
        tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop
        accept
    }
}