* nftables expressions and operators @ 2023-11-06 13:11 Aurel Wisse 2023-11-06 13:28 ` Pablo Neira Ayuso 0 siblings, 1 reply; 5+ messages in thread From: Aurel Wisse @ 2023-11-06 13:11 UTC (permalink / raw) To: netfilter Hi, I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page. I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall. Examples: tcp flags & (fin|syn|rst|ack) != syn jump syn_flood becomes tcp flags syn / fin,syn,rst,ack jump syn_flood So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go? This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ? Thanks Aurel nftables v1.0.2 (Lester Gooch) Pop-OS (6.5.6-76060506-generic) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators 2023-11-06 13:11 nftables expressions and operators Aurel Wisse @ 2023-11-06 13:28 ` Pablo Neira Ayuso 2023-11-06 14:24 ` Aurel Wisse 0 siblings, 1 reply; 5+ messages in thread From: Pablo Neira Ayuso @ 2023-11-06 13:28 UTC (permalink / raw) To: Aurel Wisse; +Cc: netfilter On Mon, Nov 06, 2023 at 08:11:09AM -0500, Aurel Wisse wrote: > Hi, > > I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page. > > I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall. > > Examples: > > tcp flags & (fin|syn|rst|ack) != syn jump syn_flood > > becomes > > tcp flags syn / fin,syn,rst,ack jump syn_flood That is a bug in nftables v1.0.2, here with recent version it shows: tcp flags != syn / fin,syn,rst,ack > So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go? > > This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ? > > Thanks > > Aurel > > nftables v1.0.2 (Lester Gooch) > Pop-OS (6.5.6-76060506-generic) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators 2023-11-06 13:28 ` Pablo Neira Ayuso @ 2023-11-06 14:24 ` Aurel Wisse 2023-11-06 15:28 ` Eric 0 siblings, 1 reply; 5+ messages in thread From: Aurel Wisse @ 2023-11-06 14:24 UTC (permalink / raw) To: netfilter Thank you for the quick answer. That explains part of it. Still, `tcp flags & (fin|syn|rst|ack) != syn` becomes `tcp != syn / fin,syn,rst,ack` and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ? On Mon, Nov 6, 2023, at 08:28, Pablo Neira Ayuso wrote: > On Mon, Nov 06, 2023 at 08:11:09AM -0500, Aurel Wisse wrote: > > Hi, > > > > I am starting to learn nftables (only superficial previous experience with iptables) and I can't find certain syntax rules for expressions and operators in the wiki or the man page. > > > > I am learning by listing the rulesets of certain predefined firewalls (fw4/OpenWRT, UFW) and I notice that certain listed rules contain operators which I can guess (hopefully correctly) from context and the original syntax in the imported file, but I would like to be sure in order not to make mistakes while building my own firewall. > > > > Examples: > > > > tcp flags & (fin|syn|rst|ack) != syn jump syn_flood > > > > becomes > > > > tcp flags syn / fin,syn,rst,ack jump syn_flood > > That is a bug in nftables v1.0.2, here with recent version it shows: > > tcp flags != syn / fin,syn,rst,ack > > > So, from context, commas without spaces around them are equivalent to logical or with precedence over "/", and "/" is somehow "!=" ?? . Where did the & (logical AND?) operator go? > > > > This is just one example. I would like to learn the full operator syntax rules in nftables. Any ideas where I should look ? Do I have to dig into the source code ? > > > > Thanks > > > > Aurel > > > > nftables v1.0.2 (Lester Gooch) > > Pop-OS (6.5.6-76060506-generic) > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators 2023-11-06 14:24 ` Aurel Wisse @ 2023-11-06 15:28 ` Eric 2023-11-06 15:41 ` Aurel Wisse 0 siblings, 1 reply; 5+ messages in thread From: Eric @ 2023-11-06 15:28 UTC (permalink / raw) To: Aurel Wisse; +Cc: netfilter On Monday, November 6th, 2023 at 06:24, Aurel Wisse <nf@awisse.ca> wrote: > Thank you for the quick answer. That explains part of it. Still, > > `tcp flags & (fin|syn|rst|ack) != syn` becomes > `tcp != syn / fin,syn,rst,ack` > > and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ? This is not the answer you're looking for, but it may help... When I was first learning nft expressions I found it most helpful to dump various rules in json format, where it's really easy to see the expressions in the abstract syntax tree, and compare that with both the input and output forms. Also, you can clearly see the statements after the "match" entries, like "counter", "set", "jump" and so on nicely separated. (Oh, and in your OP, the "*logical* or/and" should be "*bitwise* or/and", as the "flags" are a bit mask.) Input - if you don't have this form, then the json is far more enlightening: tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "Rate limit TCP syn packets" Output (i.e., 'nft list ruleset | grep 'Rate limit TCP') tcp flags syn / fin,syn,rst,ack jump syn_flood comment "Rate limit TCP syn packets" $ nft -j list chain inet filter input | json_pp ... { "rule" : { "chain" : "input", "comment" : "Rate limit TCP syn packets", "expr" : [ { "match" : { "left" : { "&" : [ { "payload" : { "field" : "flags", "protocol" : "tcp" } }, [ "fin", "syn", "rst", "ack" ] ] }, "op" : "==", "right" : "syn" } }, { "jump" : { "target" : "syn_flood" } } ], "family" : "inet", "handle" : 210, "table" : "filter" } }, ... ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables expressions and operators 2023-11-06 15:28 ` Eric @ 2023-11-06 15:41 ` Aurel Wisse 0 siblings, 0 replies; 5+ messages in thread From: Aurel Wisse @ 2023-11-06 15:41 UTC (permalink / raw) To: Eric; +Cc: netfilter Thank you Eric. Very helpful indeed in order to better understand exported existing rules. On Mon, Nov 6, 2023, at 10:28, Eric wrote: > On Monday, November 6th, 2023 at 06:24, Aurel Wisse <nf@awisse.ca> wrote: >> Thank you for the quick answer. That explains part of it. Still, >> >> `tcp flags & (fin|syn|rst|ack) != syn` becomes >> `tcp != syn / fin,syn,rst,ack` >> >> and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ? > > This is not the answer you're looking for, but it may help... > > When I was first learning nft expressions I found it most helpful to > dump various rules in json format, where it's really easy to see the > expressions in the abstract syntax tree, and compare that with both the > input and output forms. Also, you can clearly see the statements after > the "match" entries, like "counter", "set", "jump" and so on nicely > separated. > > (Oh, and in your OP, the "*logical* or/and" should be "*bitwise* > or/and", as the "flags" are a bit mask.) > > Input - if you don't have this form, then the json is far more > enlightening: > tcp flags & (fin | syn | rst | ack) == syn jump syn_flood > comment "Rate limit TCP syn packets" > > Output (i.e., 'nft list ruleset | grep 'Rate limit TCP') > tcp flags syn / fin,syn,rst,ack jump syn_flood comment "Rate limit > TCP syn packets" > > $ nft -j list chain inet filter input | json_pp > ... > { > "rule" : { > "chain" : "input", > "comment" : "Rate limit TCP syn packets", > "expr" : [ > { > "match" : { > "left" : { > "&" : [ > { > "payload" : { > "field" : "flags", > "protocol" : "tcp" > } > }, > [ > "fin", > "syn", > "rst", > "ack" > ] > ] > }, > "op" : "==", > "right" : "syn" > } > }, > { > "jump" : { > "target" : "syn_flood" > } > } > ], > "family" : "inet", > "handle" : 210, > "table" : "filter" > } > }, > ... ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-06 15:42 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-11-06 13:11 nftables expressions and operators Aurel Wisse 2023-11-06 13:28 ` Pablo Neira Ayuso 2023-11-06 14:24 ` Aurel Wisse 2023-11-06 15:28 ` Eric 2023-11-06 15:41 ` Aurel Wisse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox