* rate limit SIP INVITES
@ 2020-09-26 19:10 sean darcy
2020-09-26 20:26 ` sean darcy
2020-09-27 13:54 ` Pablo Neira Ayuso
0 siblings, 2 replies; 10+ messages in thread
From: sean darcy @ 2020-09-26 19:10 UTC (permalink / raw)
To: netfilter
nftables-0.9.6
I'm running a VOIP server. There are lots of script kiddies who will
bang away with 10/sec SIP INVITES or REGISTERS .
In iptables you can match on the string:
-A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
"INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP
INVITEs" -j SIPINVITE
-A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string
"REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP
REGISTERs" -j SIPREGISTER
I'm looking at RAW to do the same:
meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter
where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex
I have a prerouting chain:
table ip filter-asterisk {
chain output-asterisk {
..................
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
}
but no joy when I try to add the rule:
nft add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
@th,184,224 0x494e56495445 counter
Error: Could not process rule: Value too large for defined data type
add rule filter-asterisk prerouting meta l4proto udp udp dport 5060
@th,184,224 0x494e56495445 counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Any help appreciated.
sean
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: rate limit SIP INVITES 2020-09-26 19:10 rate limit SIP INVITES sean darcy @ 2020-09-26 20:26 ` sean darcy 2020-09-26 20:34 ` sean darcy 2020-09-26 20:45 ` sean darcy 2020-09-27 13:54 ` Pablo Neira Ayuso 1 sibling, 2 replies; 10+ messages in thread From: sean darcy @ 2020-09-26 20:26 UTC (permalink / raw) To: netfilter On 9/26/20 3:10 PM, sean darcy wrote: > nftables-0.9.6 > > I'm running a VOIP server. There are lots of script kiddies who will > bang away with 10/sec SIP INVITES or REGISTERS . > > In iptables you can match on the string: > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string > "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP > INVITEs" -j SIPINVITE > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string > "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP > REGISTERs" -j SIPREGISTER > > I'm looking at RAW to do the same: > > meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter > > where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex > > I have a prerouting chain: > > table ip filter-asterisk { > chain output-asterisk { > .................. > } > > chain prerouting { > type filter hook prerouting priority raw; policy accept; > } > } > > but no joy when I try to add the rule: > > nft add rule filter-asterisk prerouting meta l4proto udp udp dport 5060 > @th,184,224 0x494e56495445 counter > Error: Could not process rule: Value too large for defined data type > add rule filter-asterisk prerouting meta l4proto udp udp dport 5060 > @th,184,224 0x494e56495445 counter > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Any help appreciated. > > sean > > Closer reading of the man page: # nft add rule filter-asterisk prerouting meta l4proto udp udp dport 5060 @th,184,96 0x494e56495445 counter # The 3rd parameter of the raw expression is bit length (16 * the six characters in INVITE , correct?). Now let's see if it works. sean ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-26 20:26 ` sean darcy @ 2020-09-26 20:34 ` sean darcy 2020-09-26 20:45 ` sean darcy 1 sibling, 0 replies; 10+ messages in thread From: sean darcy @ 2020-09-26 20:34 UTC (permalink / raw) To: netfilter On 9/26/20 4:26 PM, sean darcy wrote: > On 9/26/20 3:10 PM, sean darcy wrote: >> nftables-0.9.6 >> >> I'm running a VOIP server. There are lots of script kiddies who will >> bang away with 10/sec SIP INVITES or REGISTERS . >> >> In iptables you can match on the string: >> >> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string >> "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP >> INVITEs" -j SIPINVITE >> >> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string >> "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP >> REGISTERs" -j SIPREGISTER >> >> I'm looking at RAW to do the same: >> >> meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter >> >> where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex >> >> I have a prerouting chain: >> >> table ip filter-asterisk { >> chain output-asterisk { >> .................. >> } >> >> chain prerouting { >> type filter hook prerouting priority raw; policy accept; >> } >> } >> >> but no joy when I try to add the rule: >> >> nft add rule filter-asterisk prerouting meta l4proto udp udp dport >> 5060 @th,184,224 0x494e56495445 counter >> Error: Could not process rule: Value too large for defined data type >> add rule filter-asterisk prerouting meta l4proto udp udp dport 5060 >> @th,184,224 0x494e56495445 counter >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >> >> Any help appreciated. >> >> sean >> >> > > Closer reading of the man page: > > # nft add rule filter-asterisk prerouting meta l4proto udp udp dport > 5060 @th,184,96 0x494e56495445 counter > # > > The 3rd parameter of the raw expression is bit length (16 * the six > characters in INVITE , correct?). > > Now let's see if it works. > > sean > > Or better 192, 32 * the 6 characters in INVITE. It seems there are 2 hex numbers for each ascii character. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-26 20:26 ` sean darcy 2020-09-26 20:34 ` sean darcy @ 2020-09-26 20:45 ` sean darcy 1 sibling, 0 replies; 10+ messages in thread From: sean darcy @ 2020-09-26 20:45 UTC (permalink / raw) To: netfilter On 9/26/20 4:26 PM, sean darcy wrote: > On 9/26/20 3:10 PM, sean darcy wrote: >> nftables-0.9.6 >> >> I'm running a VOIP server. There are lots of script kiddies who will >> bang away with 10/sec SIP INVITES or REGISTERS . >> >> In iptables you can match on the string: >> >> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string >> "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP >> INVITEs" -j SIPINVITE >> >> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string >> "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP >> REGISTERs" -j SIPREGISTER >> >> I'm looking at RAW to do the same: >> >> meta l4proto udp udp dport 5060 @th,184,224 0x494e56495445 counter >> >> where 184 = 23*8, and 224 = 28*8. INVITE is 0x494e56495445 in hex >> >> I have a prerouting chain: >> >> table ip filter-asterisk { >> chain output-asterisk { >> .................. >> } >> >> chain prerouting { >> type filter hook prerouting priority raw; policy accept; >> } >> } >> >> but no joy when I try to add the rule: >> >> nft add rule filter-asterisk prerouting meta l4proto udp udp dport >> 5060 @th,184,224 0x494e56495445 counter >> Error: Could not process rule: Value too large for defined data type >> add rule filter-asterisk prerouting meta l4proto udp udp dport 5060 >> @th,184,224 0x494e56495445 counter >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >> >> Any help appreciated. >> >> sean >> >> > > Closer reading of the man page: > > # nft add rule filter-asterisk prerouting meta l4proto udp udp dport > 5060 @th,184,96 0x494e56495445 counter > # > > The 3rd parameter of the raw expression is bit length (16 * the six > characters in INVITE , correct?). > > Now let's see if it works. > > sean > > I'm quitting for the day. 4 bits = 1 hex number. 6 ascii characters is 12 hex numbers , or 48 bits. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-26 19:10 rate limit SIP INVITES sean darcy 2020-09-26 20:26 ` sean darcy @ 2020-09-27 13:54 ` Pablo Neira Ayuso 2020-09-27 14:03 ` Pablo Neira Ayuso 1 sibling, 1 reply; 10+ messages in thread From: Pablo Neira Ayuso @ 2020-09-27 13:54 UTC (permalink / raw) To: sean darcy; +Cc: netfilter On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: > nftables-0.9.6 > > I'm running a VOIP server. There are lots of script kiddies who will bang > away with 10/sec SIP INVITES or REGISTERS . > > In iptables you can match on the string: > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j > SIPINVITE > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j > SIPREGISTER > > I'm looking at RAW to do the same: nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter @th => transport header 64 => from bit number 64 (8 bytes after the UDP header) 48 => extract 48 bits (6 bytes for INVITE) ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-27 13:54 ` Pablo Neira Ayuso @ 2020-09-27 14:03 ` Pablo Neira Ayuso 2020-09-27 15:42 ` sean darcy 0 siblings, 1 reply; 10+ messages in thread From: Pablo Neira Ayuso @ 2020-09-27 14:03 UTC (permalink / raw) To: sean darcy; +Cc: netfilter On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote: > On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: > > nftables-0.9.6 > > > > I'm running a VOIP server. There are lots of script kiddies who will bang > > away with 10/sec SIP INVITES or REGISTERS . > > > > In iptables you can match on the string: > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" > > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j > > SIPINVITE > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" > > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j > > SIPREGISTER > > > > I'm looking at RAW to do the same: > > nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter > > @th => transport header > 64 => from bit number 64 (8 bytes after the UDP header) > 48 => extract 48 bits (6 bytes for INVITE) @th,offset,length where offset and length are expressed in bits. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-27 14:03 ` Pablo Neira Ayuso @ 2020-09-27 15:42 ` sean darcy 2020-09-27 19:12 ` Florian Westphal 2020-09-27 20:59 ` Pablo Neira Ayuso 0 siblings, 2 replies; 10+ messages in thread From: sean darcy @ 2020-09-27 15:42 UTC (permalink / raw) To: netfilter On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote: > On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote: >> On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: >>> nftables-0.9.6 >>> >>> I'm running a VOIP server. There are lots of script kiddies who will bang >>> away with 10/sec SIP INVITES or REGISTERS . >>> >>> In iptables you can match on the string: >>> >>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" >>> --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j >>> SIPINVITE >>> >>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" >>> --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j >>> SIPREGISTER >>> >>> I'm looking at RAW to do the same: >> >> nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter >> >> @th => transport header >> 64 => from bit number 64 (8 bytes after the UDP header) >> 48 => extract 48 bits (6 bytes for INVITE) > > @th,offset,length > > where offset and length are expressed in bits. > Thanks for the response. I corrected it , but it didn't work: nft list chain filter raw table ip filter { chain raw { type filter hook prerouting priority raw; policy accept; udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0 udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0 } } I've gotten over 100 INVITEs or REGISTERs . Also nft changes the hex to decimal. Here's the input: # INVITE ascii = 0x494e56495445 hex , 48 (6 * 8 ) bits long # REGISTER ascii = 52 45 47 49 53 54 45 52 , 64 ( 8 * 8 ) bits long chain raw { type filter hook prerouting priority raw; policy accept; udp dport 5060 @th,184,48 0x494e56495445 counter packets 0 bytes 0 udp dport 5060 @th,184,64 0x5245474953544552 counter } I'd suggest nft should leave it in hex. Here's the tcpdump output 0x0000: 001f 1249 0acc 5254 00e7 8e30 0800 45a0 ...I..RT...0..E. 0x0010: 03e1 0000 4000 4011 01dd 511d d3c4 d461 ....@.@...Q....a 0x0020: 3b4c 13c4 13c4 03cd 386e 494e 5649 5445 ;L......8nINVITE INVITE starts at bit 337 (128 * 2 ) + ( 5 * 16 ) +1, but this is zero based, so use 336, correct? As I read your response, it's not the offset from the beginning, but after the UDP header, so 336 - 120 , or 216. (BTW, I always thought the UDP header was 160 bits.) udp dport 5060 @th,216,48 0x494e56495445 counter Sorry for being so long-winded. I appreciate your help in sorting this out. sean ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-27 15:42 ` sean darcy @ 2020-09-27 19:12 ` Florian Westphal 2020-09-27 20:59 ` Pablo Neira Ayuso 1 sibling, 0 replies; 10+ messages in thread From: Florian Westphal @ 2020-09-27 19:12 UTC (permalink / raw) To: sean darcy; +Cc: netfilter sean darcy <seandarcy2@gmail.com> wrote: > On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote: > > On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote: > > > On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: > > > > nftables-0.9.6 > > > > > > > > I'm running a VOIP server. There are lots of script kiddies who will bang > > > > away with 10/sec SIP INVITES or REGISTERS . > > > > > > > > In iptables you can match on the string: > > > > > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" > > > > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j > > > > SIPINVITE > > > > > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" > > > > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j > > > > SIPREGISTER > > > > > > > > I'm looking at RAW to do the same: > > > > > > nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter > > > > > > @th => transport header > > > 64 => from bit number 64 (8 bytes after the UDP header) > > > 48 => extract 48 bits (6 bytes for INVITE) > > > > @th,offset,length > > > > where offset and length are expressed in bits. > > > Thanks for the response. > > I corrected it , but it didn't work: > > nft list chain filter raw > table ip filter { > chain raw { > type filter hook prerouting priority raw; policy accept; > udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0 ^^^^ 64,48 [..] > Here's the tcpdump output > > 0x0000: 001f 1249 0acc 5254 00e7 8e30 0800 45a0 ...I..RT...0..E. > 0x0010: 03e1 0000 4000 4011 01dd 511d d3c4 d461 ....@.@...Q....a > 0x0020: 3b4c 13c4 13c4 03cd 386e 494e 5649 5445 ;L......8nINVITE > > INVITE starts at bit 337 (128 * 2 ) + ( 5 * 16 ) +1, but this is zero based, > so use 336, correct? No. You are asking for @th, so address is relative to the transport (UDP) header, which is 8 bytes. So INIVITE starts at bit 64, just like Pablo said. > As I read your response, it's not the offset from the beginning, but after > the UDP header, > so 336 - 120 , or 216. (BTW, I always thought the UDP header was 160 bits.) No: @ll - start at link layer @nh - start at ip/ipv6 header @th - start at tcp/udp/whatever transport header protocol is used The offset is relative to that, not the 'start of packet'. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-27 15:42 ` sean darcy 2020-09-27 19:12 ` Florian Westphal @ 2020-09-27 20:59 ` Pablo Neira Ayuso 2020-09-28 18:09 ` sean darcy 1 sibling, 1 reply; 10+ messages in thread From: Pablo Neira Ayuso @ 2020-09-27 20:59 UTC (permalink / raw) To: sean darcy; +Cc: netfilter On Sun, Sep 27, 2020 at 11:42:08AM -0400, sean darcy wrote: > On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote: > > On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote: > > > On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: > > > > nftables-0.9.6 > > > > > > > > I'm running a VOIP server. There are lots of script kiddies who will bang > > > > away with 10/sec SIP INVITES or REGISTERS . > > > > > > > > In iptables you can match on the string: > > > > > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" > > > > --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j > > > > SIPINVITE > > > > > > > > -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" > > > > --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j > > > > SIPREGISTER > > > > > > > > I'm looking at RAW to do the same: > > > > > > nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter > > > > > > @th => transport header > > > 64 => from bit number 64 (8 bytes after the UDP header) > > > 48 => extract 48 bits (6 bytes for INVITE) > > > > @th,offset,length > > > > where offset and length are expressed in bits. > > > Thanks for the response. > > I corrected it , but it didn't work: > > nft list chain filter raw > table ip filter { > chain raw { > type filter hook prerouting priority raw; policy accept; > udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0 > udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0 This should be: @th,64,48 0x494e56495445 counter you specify offset to 184, that does not look fine. If you want to match INVITE right after the UDP header, in the initial 6 bytes of the payload, then offset is 64 bits give that UDP header is 8 bytes (64 bits). Note that @th specifies that the offset is relative to the transport header offset. Similarly, @nh specifies the offset relative to the network header. I tried it here with nc -u and sending the string INVITE and it works fine. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: rate limit SIP INVITES 2020-09-27 20:59 ` Pablo Neira Ayuso @ 2020-09-28 18:09 ` sean darcy 0 siblings, 0 replies; 10+ messages in thread From: sean darcy @ 2020-09-28 18:09 UTC (permalink / raw) To: netfilter On 9/27/20 4:59 PM, Pablo Neira Ayuso wrote: > On Sun, Sep 27, 2020 at 11:42:08AM -0400, sean darcy wrote: >> On 9/27/20 10:03 AM, Pablo Neira Ayuso wrote: >>> On Sun, Sep 27, 2020 at 03:54:47PM +0200, Pablo Neira Ayuso wrote: >>>> On Sat, Sep 26, 2020 at 03:10:24PM -0400, sean darcy wrote: >>>>> nftables-0.9.6 >>>>> >>>>> I'm running a VOIP server. There are lots of script kiddies who will bang >>>>> away with 10/sec SIP INVITES or REGISTERS . >>>>> >>>>> In iptables you can match on the string: >>>>> >>>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" >>>>> --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j >>>>> SIPINVITE >>>>> >>>>> -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" >>>>> --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j >>>>> SIPREGISTER >>>>> >>>>> I'm looking at RAW to do the same: >>>> >>>> nft add rule x y udp dport 5060 @th,64,48 0x494e56495445 counter >>>> >>>> @th => transport header >>>> 64 => from bit number 64 (8 bytes after the UDP header) >>>> 48 => extract 48 bits (6 bytes for INVITE) >>> >>> @th,offset,length >>> >>> where offset and length are expressed in bits. >>> >> Thanks for the response. >> >> I corrected it , but it didn't work: >> >> nft list chain filter raw >> table ip filter { >> chain raw { >> type filter hook prerouting priority raw; policy accept; >> udp dport 5060 @th,184,48 80600803923013 counter packets 0 bytes 0 >> udp dport 5060 @th,184,64 5928222864759342418 counter packets 0 bytes 0 > > This should be: > @th,64,48 0x494e56495445 counter > > you specify offset to 184, that does not look fine. > > If you want to match INVITE right after the UDP header, in the initial > 6 bytes of the payload, then offset is 64 bits give that UDP header is > 8 bytes (64 bits). > > Note that @th specifies that the offset is relative to the transport > header offset. Similarly, @nh specifies the offset relative to the > network header. > > I tried it here with nc -u and sending the string INVITE and it works > fine. > It's working. Thanks for all the quick and responsive help. For those who find this exchange, and are as clueless as I am about bit counting network packets, and the differences between link layer, network header, and transport header: table ip filter { chain raw { type filter hook prerouting priority raw; policy accept; udp dport 5060 @th,64,48 80600803923013 counter packets 221 bytes 162020 udp dport 5060 @th,64,64 5928222864759342418 counter packets 67 bytes 39671 udp dport 5060 @ll,336,48 80600803923013 counter packets 221 bytes 162020 udp dport 5060 @ll,336,64 5928222864759342418 counter packets 67 bytes 39671 udp dport 5060 @nh,224,48 80600803923013 counter packets 221 bytes 162020 drop udp dport 5060 @nh,224,64 5928222864759342418 counter packets 67 bytes 39671 drop } } I repeat my suggestion that "nft list" show the pattern to be matched in hex, as it is in the command. sean ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-09-28 18:09 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-09-26 19:10 rate limit SIP INVITES sean darcy 2020-09-26 20:26 ` sean darcy 2020-09-26 20:34 ` sean darcy 2020-09-26 20:45 ` sean darcy 2020-09-27 13:54 ` Pablo Neira Ayuso 2020-09-27 14:03 ` Pablo Neira Ayuso 2020-09-27 15:42 ` sean darcy 2020-09-27 19:12 ` Florian Westphal 2020-09-27 20:59 ` Pablo Neira Ayuso 2020-09-28 18:09 ` sean darcy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox