https://bugzilla.netfilter.org/show_bug.cgi?id=1368
Bug ID: 1368
Summary: The "meta's"
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: tad1073 at gmail.com
#!/usr/bin/nftables -f
define g6dns = { 2001:4860:4860::8888, 2001:4860:4860::8844 }
define o4dns = { 208.67.222.222, 208.67.220.220 }
define o6dns = { 2620:119:35::35, 2620:119:53::53 }
define myIPv4 = <filtered>
define myIPv6 = <filtered>
flush ruleset
table inet filter {
set dns4 {
type ipv4_addr;
elements = { $g4dns, $o4dns }
}
set dns6 {
type ipv6_addr;
elements = { $g6dns, $o6dns }
}
set smb {
type inet_service;
elements = { 137, 138, 139, 445 }
}
chain global {
ct direction original counter accept
ct state { established, related } counter accept
ct status confirmed counter accept
ct state { invalid, untracked } counter jump global_drop
counter drop
chain global_dns {
ct direction original counter accept
ct state { established, related } counter accept
ct status { expected, assured, confirmed } counter accept
ct state { invalid, untracked } counter jump global_drop
counter drop
chain input {
type filter hook input priority 0; policy drop;
jump global_dns
meta protocol { ip, ip6 } saddr { @dns4, @dns6 } daddr { $myIPv4, myIPv6 }
jump global_dns
meta l4proto { tcp, udp } @ht,16,16 @dns jump global_dns
meta l4proto { tcp, udp } @ht,16,16 { http, https, proxy, @smb, }jump global
}
}
The above is how I think it should work but it doesn't.
Reference "https://www.netfilter.org/projects/nftables/manpage.html"
Reference
"https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta"
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/4c5137fc/attachment.html>
https://bugzilla.netfilter.org/show_bug.cgi?id=1368
--- Comment #1 from Thomas <tad1073 at gmail.com> ---
Fixed typo's
define dns = { 53, 953 }
meta l4proto { tcp, udp } @ht,16,16 $dns jump global_dns
chain input {
type filter hook input priority 0; policy drop;
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/45b1ad3d/attachment.html>
https://bugzilla.netfilter.org/show_bug.cgi?id=1368
Thomas <tad1073 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tad1073 at gmail.com
--- Comment #2 from Thomas <tad1073 at gmail.com> ---
Created attachment 570
--> https://bugzilla.netfilter.org/attachment.cgi?id=570&action=edit
inet.net file
I'm in the process of reworking my rulesets.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/be8494a1/attachment-0001.html>
https://bugzilla.netfilter.org/show_bug.cgi?id=1368
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--- Comment #3 from kfm at plushkava.net ---
(In reply to Thomas from comment #1)
> meta l4proto { tcp, udp } @ht,16,16 $dns jump global_dns
As documented, it is @th (transport header), not @ht.
That aside, the summary and comments seem incoherent. What sort of
"enhancement" are you requesting exactly? If you only need help
correcting the
syntax of your ruleset, try the netfilter mailing list or visit the #Netfilter
channel at Freenode.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/2d28f14d/attachment.html>
https://bugzilla.netfilter.org/show_bug.cgi?id=1368
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #4 from kfm at plushkava.net ---
Closing, as there doesn't appear to be anything actionable here. Please
re-open
or file a new bug if you have a specific enhancement to request or actual bug
to report.
Incidentally, and while you've probably long since figured it out, the rule
at
line #7 of the attachment would have had to be split into two rules. The
"daddr" token cannot stand alone, but must be preceded by
"ip" or "ip6",
according to the IPv4 and IPv6 header expression syntax. Using a meta
expression to match either of the two layer 4 protocols doesn't obviate this
requirement.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201203/f87513ae/attachment.html>
Apparently Analagous Threads
- [Bug 1371] New: Concatenations Literal sets
- [Bug 1380] New: please enable adding networks to named set
- [Bug 1255] New: nftables SNAT is not working
- [Bug 1358] New: Error when atomically replacing rules with symbolic variables
- [Bug 1370] New: iptables-restore-translate