[pkg-netfilter-team] Bug#994273: Follow-up example
Jeremy Sowden
jeremy at azazel.net
Thu Oct 7 19:19:40 BST 2021
On 2021-10-07, at 09:26:05 +1000, Harry STARR wrote:
> [...]
> And here is the nft -s list ruleset
> >>>
> root at y6:~ # nft -s list ruleset
> table ip filter {
> set bad_guys {
> type ipv4_addr
> size 65535
> counter
> timeout 31m
> }
>
> set black {
> type ipv4_addr
> size 65535
> flags interval
> counter
> elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
> }
>
> set dns_black {
> type ipv4_addr
> size 65535
> counter
> timeout 1d
> elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h58m48s84ms }
> }
>
> chain INPUT {
> type filter hook input priority filter; policy drop;
> ip saddr @bad_guys counter packets 0 bytes 0 drop
> ct state invalid counter packets 22 bytes 3204 drop
> ct state established,related counter packets 351 bytes 28667 accept
> iifname "lo" counter packets 0 bytes 0 accept
> ip saddr @black counter packets 0 bytes 0 drop
> ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
> iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
> udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
> tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
> udp dport 53 counter packets 0 bytes 0 accept
> tcp dport 53 counter packets 0 bytes 0 accept
> fib daddr type multicast counter packets 0 bytes 0 drop
> add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
> }
>
> chain FORWARD {
> type filter hook forward priority filter; policy accept;
> }
>
> chain OUTPUT {
> type filter hook output priority filter; policy accept;
> }
> }
> <<<
>
> NOTICE: in chain INPUT: the packet/bytes are still listed,
> and in the set listings, the packet/count values and expires time is
> listed.
Thanks. It seems that the `stateless` flag gets lost in some
circumstances. Compare this:
$ sudo nft --stateless list ruleset
table ip filter {
[...]
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 92 bytes 49768 drop
ct state invalid counter packets 0 bytes 0 drop
ct state established,related counter packets 6281 bytes 4373744 accept
iifname "lo" counter packets 1 bytes 73 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16 counter packets 142 bytes 39680 accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 0 bytes 0 accept
udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
udp dport 53 counter packets 0 bytes 0 accept
tcp dport 53 counter packets 0 bytes 0 accept
fib daddr type multicast counter packets 1 bytes 73 drop
add @bad_guys { ip saddr } log level debug counter packets 1 bytes 576 drop
}
[...]
}
with this:
$ sudo nft --stateless list chain filter INPUT
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter drop
ct state invalid counter drop
ct state established,related counter accept
iifname "lo" counter accept
ip saddr @black counter drop
ip saddr 192.168.0.0/16 counter accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
udp dport 53 ip saddr @dns_black counter drop
tcp dport 53 ip saddr @dns_black counter drop
udp dport 53 counter accept
tcp dport 53 counter accept
fib daddr type multicast counter drop
add @bad_guys { ip saddr } log level debug counter drop
}
}
I'll send a patch upstream.
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20211007/5f4fc429/attachment.sig>
More information about the pkg-netfilter-team
mailing list