Problems to get started with nftables

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Problems to get started with nftables
@ 2014-06-11 18:25 Michael
  2014-06-13 11:37 ` Álvaro Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Michael @ 2014-06-11 18:25 UTC (permalink / raw)
  To: netfilter user mailinglist

Dear all,

I have some problems, that might well be due to my lack of understanding
nftables: My rules look like this:

table filter {
        chain input {
                 type filter hook input priority 0;
                 icmp type { echo-request } limit rate 5/second counter accept
        }
}

table ip6 filter {
        chain input {
                 type filter hook input priority 0;
                 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } ip6 hoplimit 255 counter log prefix "log1: " accept
                 icmpv6 type { echo-request } limit rate 5/second counter accept
        }
}

table inet filter {
        chain input {
                 type filter hook input priority 1;
                 ct state { established, related } accept
                 ct state invalid counter log prefix "log2: " drop
                 iif lo accept
#                 udp sport bootps dport bootpc accept
                 counter log prefix "log3: " drop
        }

        chain output {
                 type filter hook output priority 1;
                 ct state { new, established, related } accept
                 ct state invalid counter log prefix "log4: " drop
                 oif lo accept
        }
}

What I observe when I load these rules is that the accept in the log1 line is
not enough to accept the packets. They are ultimately dropped in the log3
rule. How do I get the packets through both rule chains?

The second problem is in the
#                 udp sport bootps dport bootpc accept
line. I've seen examples with this syntax, but it's not accepted for me. What
is the correct syntax to filter on both dport and sport? I've tried using and
or &, but that didn't work either.

And finally: Is there a way to match the destination mac address of an
incoming packet?

I'm running nftables 0.2 on kernel 3.14.4.

Best,
Michael

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Problems to get started with nftables
  2014-06-11 18:25 Problems to get started with nftables Michael
@ 2014-06-13 11:37 ` Álvaro Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Álvaro Neira Ayuso @ 2014-06-13 11:37 UTC (permalink / raw)
  To: Michael, netfilter user mailinglist

Hello Michael

El 11/06/14 20:25, Michael escribió:
> Dear all,
>
> I have some problems, that might well be due to my lack of understanding
> nftables: My rules look like this:
>
> table filter {
>          chain input {
>                   type filter hook input priority 0;
>                   icmp type { echo-request } limit rate 5/second counter accept
			      ^^^^^^^^^^^^^^^^
It's a single element, you don't need to use a set. You can use the rule 
like:

nft add rule filter input icmp type echo-request limit rate 5/second 
counter accept

>          }
> }
>
> table ip6 filter {
>          chain input {
>                   type filter hook input priority 0;
>                   icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } ip6 hoplimit 255 counter log prefix "log1: " accept
>                   icmpv6 type { echo-request } limit rate 5/second counter accept
>          }
> }
>
> table inet filter {
>          chain input {
>                   type filter hook input priority 1;
>                   ct state { established, related } accept
			     ^^^^^^^^^^^^^^^^^^^^^^^^
Also, you have used here a set but you can use the rule without the set, 
like that:

nft add rule inet filter input ct state established, related counter accept

>                   ct state invalid counter log prefix "log2: " drop
>                   iif lo accept
> #                 udp sport bootps dport bootpc accept
>                   counter log prefix "log3: " drop
>          }
>
>          chain output {
>                   type filter hook output priority 1;
>                   ct state { new, established, related } accept
>                   ct state invalid counter log prefix "log4: " drop
>                   oif lo accept
>          }
> }
>
>
> What I observe when I load these rules is that the accept in the log1 line is
> not enough to accept the packets. They are ultimately dropped in the log3
> rule. How do I get the packets through both rule chains?

Because you have a table inet and a table ip6. The table ip6 filter
sees the ip6 traffic and the table inet filter sees the ip4 and ip6 
traffic. You have defined the priority of the first chain at 0 so 
nftables checks the rules there and after nftables checks the rules 
inside of the filter chain in inet.

I suggest you to use one singles filter table like inet.

>
> The second problem is in the
> #                 udp sport bootps dport bootpc accept
> line. I've seen examples with this syntax, but it's not accepted for me. What
> is the correct syntax to filter on both dport and sport? I've tried using and
> or &, but that didn't work either.

The rules is like that:

nft add rule filter input udp sport bootps udp dport bootpc accept

>
> And finally: Is there a way to match the destination mac address of an
> incoming packet?

You must to add a rule with ether like this:

nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter

I hope that I have explained correctly and I have helped you

Regards

Álvaro

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-06-13 11:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-11 18:25 Problems to get started with nftables Michael
2014-06-13 11:37 ` Álvaro Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).