* nftables expressions and operators
@ 2023-11-06 13:11 Aurel Wisse
2023-11-06 13:28 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Aurel Wisse @ 2023-11-06 13:11 UTC (permalink / raw)
To: netfilter
Hi,
I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page.
I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall.
Examples:
tcp flags & (fin|syn|rst|ack) != syn jump syn_flood
becomes
tcp flags syn / fin,syn,rst,ack jump syn_flood
So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go?
This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ?
Thanks
Aurel
nftables v1.0.2 (Lester Gooch)
Pop-OS (6.5.6-76060506-generic)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators
2023-11-06 13:11 nftables expressions and operators Aurel Wisse
@ 2023-11-06 13:28 ` Pablo Neira Ayuso
2023-11-06 14:24 ` Aurel Wisse
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-11-06 13:28 UTC (permalink / raw)
To: Aurel Wisse; +Cc: netfilter
On Mon, Nov 06, 2023 at 08:11:09AM -0500, Aurel Wisse wrote:
> Hi,
>
> I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page.
>
> I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall.
>
> Examples:
>
> tcp flags & (fin|syn|rst|ack) != syn jump syn_flood
>
> becomes
>
> tcp flags syn / fin,syn,rst,ack jump syn_flood
That is a bug in nftables v1.0.2, here with recent version it shows:
tcp flags != syn / fin,syn,rst,ack
> So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go?
>
> This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ?
>
> Thanks
>
> Aurel
>
> nftables v1.0.2 (Lester Gooch)
> Pop-OS (6.5.6-76060506-generic)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators
2023-11-06 13:28 ` Pablo Neira Ayuso
@ 2023-11-06 14:24 ` Aurel Wisse
2023-11-06 15:28 ` Eric
0 siblings, 1 reply; 5+ messages in thread
From: Aurel Wisse @ 2023-11-06 14:24 UTC (permalink / raw)
To: netfilter
Thank you for the quick answer. That explains part of it. Still,
`tcp flags & (fin|syn|rst|ack) != syn` becomes
`tcp != syn / fin,syn,rst,ack`
and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ?
On Mon, Nov 6, 2023, at 08:28, Pablo Neira Ayuso wrote:
> On Mon, Nov 06, 2023 at 08:11:09AM -0500, Aurel Wisse wrote:
> > Hi,
> >
> > I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page.
> >
> > I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall.
> >
> > Examples:
> >
> > tcp flags & (fin|syn|rst|ack) != syn jump syn_flood
> >
> > becomes
> >
> > tcp flags syn / fin,syn,rst,ack jump syn_flood
>
> That is a bug in nftables v1.0.2, here with recent version it shows:
>
> tcp flags != syn / fin,syn,rst,ack
>
> > So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go?
> >
> > This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ?
> >
> > Thanks
> >
> > Aurel
> >
> > nftables v1.0.2 (Lester Gooch)
> > Pop-OS (6.5.6-76060506-generic)
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators
2023-11-06 14:24 ` Aurel Wisse
@ 2023-11-06 15:28 ` Eric
2023-11-06 15:41 ` Aurel Wisse
0 siblings, 1 reply; 5+ messages in thread
From: Eric @ 2023-11-06 15:28 UTC (permalink / raw)
To: Aurel Wisse; +Cc: netfilter
On Monday, November 6th, 2023 at 06:24, Aurel Wisse <nf@awisse.ca> wrote:
> Thank you for the quick answer. That explains part of it. Still,
>
> `tcp flags & (fin|syn|rst|ack) != syn` becomes
> `tcp != syn / fin,syn,rst,ack`
>
> and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ?
This is not the answer you're looking for, but it may help...
When I was first learning nft expressions I found it most helpful to dump various rules in json format, where it's really easy to see the expressions in the abstract syntax tree, and compare that with both the input and output forms. Also, you can clearly see the statements after the "match" entries, like "counter", "set", "jump" and so on nicely separated.
(Oh, and in your OP, the "*logical* or/and" should be "*bitwise* or/and", as the "flags" are a bit mask.)
Input - if you don't have this form, then the json is far more enlightening:
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "Rate limit TCP syn packets"
Output (i.e., 'nft list ruleset | grep 'Rate limit TCP')
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "Rate limit TCP syn packets"
$ nft -j list chain inet filter input | json_pp
...
{
"rule" : {
"chain" : "input",
"comment" : "Rate limit TCP syn packets",
"expr" : [
{
"match" : {
"left" : {
"&" : [
{
"payload" : {
"field" : "flags",
"protocol" : "tcp"
}
},
[
"fin",
"syn",
"rst",
"ack"
]
]
},
"op" : "==",
"right" : "syn"
}
},
{
"jump" : {
"target" : "syn_flood"
}
}
],
"family" : "inet",
"handle" : 210,
"table" : "filter"
}
},
...
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators
2023-11-06 15:28 ` Eric
@ 2023-11-06 15:41 ` Aurel Wisse
0 siblings, 0 replies; 5+ messages in thread
From: Aurel Wisse @ 2023-11-06 15:41 UTC (permalink / raw)
To: Eric; +Cc: netfilter
Thank you Eric. Very helpful indeed in order to better understand exported existing rules.
On Mon, Nov 6, 2023, at 10:28, Eric wrote:
> On Monday, November 6th, 2023 at 06:24, Aurel Wisse <nf@awisse.ca> wrote:
>> Thank you for the quick answer. That explains part of it. Still,
>>
>> `tcp flags & (fin|syn|rst|ack) != syn` becomes
>> `tcp != syn / fin,syn,rst,ack`
>>
>> and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ?
>
> This is not the answer you're looking for, but it may help...
>
> When I was first learning nft expressions I found it most helpful to
> dump various rules in json format, where it's really easy to see the
> expressions in the abstract syntax tree, and compare that with both the
> input and output forms. Also, you can clearly see the statements after
> the "match" entries, like "counter", "set", "jump" and so on nicely
> separated.
>
> (Oh, and in your OP, the "*logical* or/and" should be "*bitwise*
> or/and", as the "flags" are a bit mask.)
>
> Input - if you don't have this form, then the json is far more
> enlightening:
> tcp flags & (fin | syn | rst | ack) == syn jump syn_flood
> comment "Rate limit TCP syn packets"
>
> Output (i.e., 'nft list ruleset | grep 'Rate limit TCP')
> tcp flags syn / fin,syn,rst,ack jump syn_flood comment "Rate limit
> TCP syn packets"
>
> $ nft -j list chain inet filter input | json_pp
> ...
> {
> "rule" : {
> "chain" : "input",
> "comment" : "Rate limit TCP syn packets",
> "expr" : [
> {
> "match" : {
> "left" : {
> "&" : [
> {
> "payload" : {
> "field" : "flags",
> "protocol" : "tcp"
> }
> },
> [
> "fin",
> "syn",
> "rst",
> "ack"
> ]
> ]
> },
> "op" : "==",
> "right" : "syn"
> }
> },
> {
> "jump" : {
> "target" : "syn_flood"
> }
> }
> ],
> "family" : "inet",
> "handle" : 210,
> "table" : "filter"
> }
> },
> ...
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-06 15:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-06 13:11 nftables expressions and operators Aurel Wisse
2023-11-06 13:28 ` Pablo Neira Ayuso
2023-11-06 14:24 ` Aurel Wisse
2023-11-06 15:28 ` Eric
2023-11-06 15:41 ` Aurel Wisse
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox