[pkg-netfilter-team] Bug#994273: Follow-up example

Harry STARR starr at harrystarr.com
Thu Oct 7 00:26:05 BST 2021 

Here is my-nftables (used to instantiate the ruleset):
nft -f my-nftables

>>> my-nftables
flush ruleset
table ip filter {
        set bad_guys {
                type ipv4_addr
                size 65535
                timeout 31m
                counter
                elements = { 192.168.0.101, 192.168.0.102,
                             192.168.0.172 }
        }

        set black {
                type ipv4_addr
                size 65535
                flags interval
                counter
                elements = { 1.2.3.4, 5.6.7.0/24 }
        }

        set dns_black {
                type ipv4_addr
                size 65535
                timeout 1d
                counter
                elements = { 192.168.0.100 }
        }

        chain INPUT {
                type filter hook input priority filter; policy drop;
                ip saddr @bad_guys counter drop
                ct state invalid counter drop
                ct state established,related counter accept
                iifname "lo" counter accept
                ip saddr @black counter drop
                ip saddr 192.168.0.0/16 counter accept
                iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
                udp dport 53 ip saddr @dns_black counter drop
                tcp dport 53 ip saddr @dns_black counter drop
                udp dport 53 counter accept
                tcp dport 53 counter accept
                fib daddr type multicast counter drop
                add @bad_guys { ip saddr } log level debug counter drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

<<<

Here is the nft list ruleset output:
>>>
root at y6:~ # nft list ruleset
table ip filter {
        set bad_guys {
                type ipv4_addr
                size 65535
                counter
                timeout 31m
        }

        set black {
                type ipv4_addr
                size 65535
                flags interval
                counter
                elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
        }

        set dns_black {
                type ipv4_addr
                size 65535
                counter
                timeout 1d
                elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h59m40s260ms }
        }

        chain INPUT {
                type filter hook input priority filter; policy drop;
                ip saddr @bad_guys counter packets 0 bytes 0 drop
                ct state invalid counter packets 22 bytes 3204 drop
                ct state established,related counter packets 298 bytes 23763 accept
                iifname "lo" counter packets 0 bytes 0 accept
                ip saddr @black counter packets 0 bytes 0 drop
                ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
                iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
                udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                udp dport 53 counter packets 0 bytes 0 accept
                tcp dport 53 counter packets 0 bytes 0 accept
                fib daddr type multicast counter packets 0 bytes 0 drop
                add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
<<<

And here is the nft -s list ruleset
>>>
root at y6:~ # nft -s list ruleset
table ip filter {
        set bad_guys {
                type ipv4_addr
                size 65535
                counter
                timeout 31m
        }

        set black {
                type ipv4_addr
                size 65535
                flags interval
                counter
                elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
        }

        set dns_black {
                type ipv4_addr
                size 65535
                counter
                timeout 1d
                elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h58m48s84ms }
        }

        chain INPUT {
                type filter hook input priority filter; policy drop;
                ip saddr @bad_guys counter packets 0 bytes 0 drop
                ct state invalid counter packets 22 bytes 3204 drop
                ct state established,related counter packets 351 bytes 28667 accept
                iifname "lo" counter packets 0 bytes 0 accept
                ip saddr @black counter packets 0 bytes 0 drop
                ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
                iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
                udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                udp dport 53 counter packets 0 bytes 0 accept
                tcp dport 53 counter packets 0 bytes 0 accept
                fib daddr type multicast counter packets 0 bytes 0 drop
                add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
<<<

NOTICE: in chain INPUT: the packet/bytes are still listed,
and in the set listings, the packet/count values and expires time is listed.

More information about the pkg-netfilter-team mailing list