[pkg-netfilter-team] Bug#994273: Follow-up example
Harry STARR
starr at harrystarr.com
Thu Oct 7 00:26:05 BST 2021
Here is my-nftables (used to instantiate the ruleset):
nft -f my-nftables
>>> my-nftables
flush ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
timeout 31m
counter
elements = { 192.168.0.101, 192.168.0.102,
192.168.0.172 }
}
set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4, 5.6.7.0/24 }
}
set dns_black {
type ipv4_addr
size 65535
timeout 1d
counter
elements = { 192.168.0.100 }
}
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter drop
ct state invalid counter drop
ct state established,related counter accept
iifname "lo" counter accept
ip saddr @black counter drop
ip saddr 192.168.0.0/16 counter accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
udp dport 53 ip saddr @dns_black counter drop
tcp dport 53 ip saddr @dns_black counter drop
udp dport 53 counter accept
tcp dport 53 counter accept
fib daddr type multicast counter drop
add @bad_guys { ip saddr } log level debug counter drop
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
<<<
Here is the nft list ruleset output:
>>>
root at y6:~ # nft list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}
set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
}
set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h59m40s260ms }
}
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 298 bytes 23763 accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
udp dport 53 counter packets 0 bytes 0 accept
tcp dport 53 counter packets 0 bytes 0 accept
fib daddr type multicast counter packets 0 bytes 0 drop
add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
<<<
And here is the nft -s list ruleset
>>>
root at y6:~ # nft -s list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}
set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
}
set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h58m48s84ms }
}
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 351 bytes 28667 accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
udp dport 53 counter packets 0 bytes 0 accept
tcp dport 53 counter packets 0 bytes 0 accept
fib daddr type multicast counter packets 0 bytes 0 drop
add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
<<<
NOTICE: in chain INPUT: the packet/bytes are still listed,
and in the set listings, the packet/count values and expires time is listed.
More information about the pkg-netfilter-team
mailing list