From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r.rg.net (r.rg.net [198.180.152.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 431881A267 for ; Wed, 10 Jun 2026 00:10:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.180.152.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781050249; cv=none; b=rRP4Rr3x0v9T+mB9rd6O/pYPjk5hf+EsV/zZ6+4CwwQvao6nLmz3t4eKd3Kkvw4i6OmIs/U1BwjGPE+nzBRsRJsyxLSDEMXbIpmr/HemCAkGLBthDJ20W3tOESmc/EaSqZYKokan8Pq9RCN7Edx2wsI0E2GXQPKLq94PGyYIMrQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781050249; c=relaxed/simple; bh=qgOu3e4ZS2tPYdyhgCyVlRsSL5OQeQLUyJtdddp7u+8=; h=Date:Message-ID:From:To:Subject:MIME-Version:Content-Type; b=A/cLMVffyp6MLxXxLl6hH64fM1K+6v4wDdcJ50Wk3vbEX6w0pBeBT7BKjO/SgOO5y8H5/Xvfj8I8N9LfpPHurcrsEzVzQTb4DGibAFprxIoNSD7MMbD8hhZzz/o9yEUkQtxsYxU+8D75rYBQ899W3UfWkQy/4WL2PZAr6qxz+sA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com; spf=pass smtp.mailfrom=psg.com; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b=oMy3bWjm; arc=none smtp.client-ip=198.180.152.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=psg.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b="oMy3bWjm" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=psg.com; s=rgnet-mail; t=1781050247; bh=qgOu3e4ZS2tPYdyhgCyVlRsSL5OQeQLUyJtdddp7u+8=; h=Date:From:To:Subject:From; b=oMy3bWjmeAl1EhPDZs/KaLeYef0iZlMjRWtxGaZLK+n/O3g+s9K8bXGGysEQ5h5bQ 3pFOkExdh7gusu9eQuE8QCzisWLoyrF801mDN0VaEO3xH5ncbK6WNCOwSetiJNOy9H QQ/SA+0QWl4+Yq6TUKSlNc3rUSc3Jve+Qtw8oiPei9u9YmWSEy9wDt7D9+ol++IMit 0JXpdVrOpGmtdzgVohY+RYZzGVi35dImQfR2aE4cq2EgYBqoh9Xy6QORXYfFCufI3F dlBeVb6tfiYzjlOdTHITRmDc4eNLo5IBSwGyksPu6zvcrqWvdsFAI1U939WMQiAHiw VDHKucFqJea1A== Received: from ryuu.rg.net (localhost [127.0.0.1]) by r.rg.net (Postfix) with ESMTP id 79B2880458 for ; Wed, 10 Jun 2026 00:10:47 +0000 (UTC) Date: Tue, 09 Jun 2026 17:10:47 -0700 Message-ID: From: Randy Bush To: netfilter@vger.kernel.org Subject: prefix len confusion User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 Precedence: bulk X-Mailing-List: netfilter@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII [ old dog but new to this list. apologies for fleas ] amd64 hardware, not vm debian 13, very current nftables v1.1.3 (Commodore Bullmoose #4) tl;dr: o ipv4 ssh dict attacker getting through o i am not an nftables guru; but a few of this have stared at this for many days o do i not understand cidr prefix notation? essentially, i am seeing the traditional ssh dict attcak to 42.642.11.82, when i think i am filtering 42.642.11.80/30, which should cover 42.642.11.82 the attack sources, at least as logged, are not within the allowed $JUMP or other allow lists the equivalent of this is happening in more than one pop here is an anonymized copy of `/etc/nftables.conf`. i hope the ip addy mangling did not screw things up. sorry for the length. randy #!/usr/sbin/nft -f flush ruleset define IFACE = enp4s0f1 define JUMP4 = { 42.666.0.0/23, 42.642.11.0/24, 42.642.12.0/24 } define JUMP6 = { 2001:841:1::0/48, 2001:841:3806::0/48, 2001:841:8006::0/48 } define EXTv4 = { 250.12.129.20/30, 238.224.157.204/30 } define EXTv6 = { 2001:841:3800:5000::20/126, 2001:841:3800:5000::/126 } define INTv4 = { 42.642.11.0/24, 250.12.129.20/30, 238.224.157.204/30 } define INTv6 = { 2001:841:7830::0/48, 2001:841:3800:5000::20/126, # NTT 2001:841:3800:5000::/126 # NTT } define BOGONS4 = { 42.642.11.0/24, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } define BOGONS6 = { ::/128, ::1/128, ::ffff:0:0/96, ::/96, 100::/64, 2001:10::/28, 2001:db8::/32, 3fff::/20, fc00::/7, fe80::/10, fec0::/10, ff00::/8 } define SNMP = { 250.32.129.0/24, 250.42.129.0/26, 42.642.11.9, 42.642.11.17 } define VULN4 = { 42.642.11.34/31, 42.642.11.36/31, 42.642.11.40/29, 42.642.11.48/29, 42.642.11.80/30 # <<<==== } define PROX4 = { 42.642.11.30/31, 42.642.11.32/32 } define PROX6 = { 2001:841:7830::30/127, 2001:841:7830::32/128 } table ip filter { chain forward { type filter hook forward priority filter; iifname "lo" accept ip protocol icmp accept iifname $IFACE goto wan-in # so is LAN ip saddr $INTv4 accept drop } chain wan-in { ip saddr $BOGONS4 drop ip protocol icmp accept ip saddr $JUMP4 accept ip saddr $EXTv4 accept tcp dport 8006 ip daddr $PROX4 drop # block proxmox web login ip daddr $VULN4 drop udp dport snmp ip saddr $SNMP accept tcp dport snmp ip saddr $SNMP accept udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 11211 } drop tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 11211 } drop accept } } table ip6 filter { chain forward { type filter hook forward priority filter; iifname "lo" accept ip6 nexthdr icmpv6 accept iifname $IFACE goto wan-in # so is LAN ip6 saddr $INTv6 accept drop } chain wan-in { ip6 saddr $BOGONS6 drop ip6 nexthdr icmpv6 accept ip6 saddr $JUMP6 accept ip6 saddr $EXTv6 accept tcp dport 8006 ip6 daddr $PROX6 drop udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop accept } }