[nftables] granular rule for combined tcp & udp sports?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* [nftables] granular rule for combined tcp & udp sports?
@ 2020-10-05 12:56 ѽ҉ᶬḳ℠
       [not found] ` <CABeHSrYi=MT8pD6nsRaUK7u56UvO-E7qh1Kmo0=YU386AE8aXw@mail.gmail.com>
  2020-10-06  8:31 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 6+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-10-05 12:56 UTC (permalink / raw)
  To: netfilter@vger.kernel.org

I am trying to get a granular logging rule going, combining tcp and udp 
sports for ip6 saddr but somehow failing:


tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6 
log flags all prefix "G_C :" continue

-> Error: conflicting protocols specified: tcp vs. udp



ip6 saddr @g_6 tcp sport != { 80, 443, 993, 5228 } | udp sport != 19302 
log flags all prefix "G_C :" continue;

-> Error: syntax error, unexpected '|', expecting newline or semicolon


^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <CABeHSrYi=MT8pD6nsRaUK7u56UvO-E7qh1Kmo0=YU386AE8aXw@mail.gmail.com>]

* Re: [nftables] granular rule for combined tcp & udp sports?
       [not found] ` <CABeHSrYi=MT8pD6nsRaUK7u56UvO-E7qh1Kmo0=YU386AE8aXw@mail.gmail.com>
@ 2020-10-06  6:49   ` ѽ҉ᶬḳ℠
  2020-10-09  6:23     ` Eliezer Croitor
  0 siblings, 1 reply; 6+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-10-06  6:49 UTC (permalink / raw)
  To: netfilter@vger.kernel.org; +Cc: Yuval Steuer

Thank you for the input but that still prints an (yet another) error:

Error: syntax error, unexpected !=, expecting ')'


On 06/10/2020 05:42, Yuval Steuer wrote:
> ((tcp sport != { 80, 443, 993, 5228 }) or (udp sport != 19302) and 
> (ip6 saddr @g_6))
>
> On Mon, 5 Oct 2020 at 16:02 ѽ҉ᶬḳ℠ <vtol@gmx.net <mailto:vtol@gmx.net>> 
> wrote:
>
>     I am trying to get a granular logging rule going, combining tcp
>     and udp
>
>     sports for ip6 saddr but somehow failing:
>
>
>
>
>
>     tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6
>
>     log flags all prefix "G_C :" continue
>
>
>
>     -> Error: conflicting protocols specified: tcp vs. udp
>
>
>
>
>
>
>
>     ip6 saddr @g_6 tcp sport != { 80, 443, 993, 5228 } | udp sport !=
>     19302
>
>     log flags all prefix "G_C :" continue;
>
>
>
>     -> Error: syntax error, unexpected '|', expecting newline or semicolon
>
>
>



^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [nftables] granular rule for combined tcp & udp sports?
  2020-10-06  6:49   ` ѽ҉ᶬḳ℠
@ 2020-10-09  6:23     ` Eliezer Croitor
  0 siblings, 0 replies; 6+ messages in thread
From: Eliezer Croitor @ 2020-10-09  6:23 UTC (permalink / raw)
  To: netfilter

What OS and nftables versions are you using?

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com

-----Original Message-----
From: ѽ҉ᶬḳ℠ <vtol@gmx.net> 
Sent: Tuesday, October 6, 2020 9:49 AM
To: netfilter@vger.kernel.org
Cc: Yuval Steuer <yuvalsteuer11@gmail.com>
Subject: Re: [nftables] granular rule for combined tcp & udp sports?

Thank you for the input but that still prints an (yet another) error:

Error: syntax error, unexpected !=, expecting ')'


On 06/10/2020 05:42, Yuval Steuer wrote:
> ((tcp sport != { 80, 443, 993, 5228 }) or (udp sport != 19302) and 
> (ip6 saddr @g_6))
>
> On Mon, 5 Oct 2020 at 16:02 ѽ҉ᶬḳ℠ <vtol@gmx.net <mailto:vtol@gmx.net>> 
> wrote:
>
>     I am trying to get a granular logging rule going, combining tcp
>     and udp
>
>     sports for ip6 saddr but somehow failing:
>
>
>
>
>
>     tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6
>
>     log flags all prefix "G_C :" continue
>
>
>
>     -> Error: conflicting protocols specified: tcp vs. udp
>
>
>
>
>
>
>
>     ip6 saddr @g_6 tcp sport != { 80, 443, 993, 5228 } | udp sport !=
>     19302
>
>     log flags all prefix "G_C :" continue;
>
>
>
>     -> Error: syntax error, unexpected '|', expecting newline or semicolon
>
>
>




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nftables] granular rule for combined tcp & udp sports?
  2020-10-05 12:56 [nftables] granular rule for combined tcp & udp sports? ѽ҉ᶬḳ℠
       [not found] ` <CABeHSrYi=MT8pD6nsRaUK7u56UvO-E7qh1Kmo0=YU386AE8aXw@mail.gmail.com>
@ 2020-10-06  8:31 ` Pablo Neira Ayuso
  2020-10-06  8:54   ` ѽ҉ᶬḳ℠
  1 sibling, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-06  8:31 UTC (permalink / raw)
  To: ѽ҉ᶬḳ℠; +Cc: netfilter@vger.kernel.org

On Mon, Oct 05, 2020 at 12:56:00PM +0000, ѽ҉ᶬḳ℠ wrote:
> I am trying to get a granular logging rule going, combining tcp and udp
> sports for ip6 saddr but somehow failing:
> 
> 
> tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6 log
> flags all prefix "G_C :" continue
> 
> -> Error: conflicting protocols specified: tcp vs. udp

I suggest you express things is less convoluted ways, ie. positive
logic and default action to drop in your ruleset.

nft add rule ip6 x y meta l4proto . th dport { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } ip6 saddr @y accept

You can set default policy in the chain to drop.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nftables] granular rule for combined tcp & udp sports?
  2020-10-06  8:31 ` Pablo Neira Ayuso
@ 2020-10-06  8:54   ` ѽ҉ᶬḳ℠
  2020-10-06  9:04     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-10-06  8:54 UTC (permalink / raw)
  To: netfilter@vger.kernel.org; +Cc: Pablo Neira Ayuso

On 06/10/2020 10:31, Pablo Neira Ayuso wrote:
> On Mon, Oct 05, 2020 at 12:56:00PM +0000, ѽ҉ᶬḳ℠ wrote:
>> I am trying to get a granular logging rule going, combining tcp and udp
>> sports for ip6 saddr but somehow failing:
>>
>>
>> tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6 log
>> flags all prefix "G_C :" continue
>>
>> -> Error: conflicting protocols specified: tcp vs. udp
> I suggest you express things is less convoluted ways, ie. positive
> logic and default action to drop in your ruleset.
>
> nft add rule ip6 x y meta l4proto . th dport { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } ip6 saddr @y accept
>
> You can set default policy in the chain to drop.

Thank you for the input. The rule is just for logging/debugging, not for 
dropping frames and the logic is not to log:

* frames from tcp sport(s) 80, 443, 993, 5228
* frames from udp sport 19302

but log all other frames from ip6 saddr @foo

For that purpose inverting positive (consulted) logic seemed the way to 
go and this should to work then:

meta l4proto . th sport != { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, 
udp . 19302 } ip6 saddr @foo flags all prefix "bar :" continue;



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [nftables] granular rule for combined tcp & udp sports?
  2020-10-06  8:54   ` ѽ҉ᶬḳ℠
@ 2020-10-06  9:04     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-06  9:04 UTC (permalink / raw)
  To: ѽ҉ᶬḳ℠; +Cc: netfilter@vger.kernel.org

On Tue, Oct 06, 2020 at 08:54:00AM +0000, ѽ҉ᶬḳ℠ wrote:
> On 06/10/2020 10:31, Pablo Neira Ayuso wrote:
> > On Mon, Oct 05, 2020 at 12:56:00PM +0000, ѽ҉ᶬḳ℠ wrote:
> > > I am trying to get a granular logging rule going, combining tcp and udp
> > > sports for ip6 saddr but somehow failing:
> > > 
> > > 
> > > tcp sport != { 80, 443, 993, 5228 } udp sport != 19302 ip6 saddr @g_6 log
> > > flags all prefix "G_C :" continue
> > > 
> > > -> Error: conflicting protocols specified: tcp vs. udp
> > I suggest you express things is less convoluted ways, ie. positive
> > logic and default action to drop in your ruleset.
> > 
> > nft add rule ip6 x y meta l4proto . th dport { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } ip6 saddr @y accept
> > 
> > You can set default policy in the chain to drop.
> 
> Thank you for the input. The rule is just for logging/debugging, not for
> dropping frames and the logic is not to log:
> 
> * frames from tcp sport(s) 80, 443, 993, 5228
> * frames from udp sport 19302
> 
> but log all other frames from ip6 saddr @foo
> 
> For that purpose inverting positive (consulted) logic seemed the way to go
> and this should to work then:
> 
> meta l4proto . th sport != { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp
> . 19302 } ip6 saddr @foo flags all prefix "bar :" continue;

almost...

add rule ip6 x y meta l4proto . th sport != { tcp . 80, tcp . 443, tcp . 993, tcp . 5228, udp . 19302 } \
        ip6 saddr @foo log flags all prefix "bar :" continue

Missing log before flags.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-10-09  6:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-05 12:56 [nftables] granular rule for combined tcp & udp sports? ѽ҉ᶬḳ℠
     [not found] ` <CABeHSrYi=MT8pD6nsRaUK7u56UvO-E7qh1Kmo0=YU386AE8aXw@mail.gmail.com>
2020-10-06  6:49   ` ѽ҉ᶬḳ℠
2020-10-09  6:23     ` Eliezer Croitor
2020-10-06  8:31 ` Pablo Neira Ayuso
2020-10-06  8:54   ` ѽ҉ᶬḳ℠
2020-10-06  9:04     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox