[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: TCP flags syntax in nftables
From:       Robert White <rwhite () pobox ! com>
Date:       2017-03-23 19:43:25
Message-ID: a270fb38-5ad2-d3b5-a527-eee85548328e () pobox ! com
[Download RAW message or body]

On 03/23/17 12:11, Brian Filipek wrote:
> Hi,
>
> I've done some digging but really can't find a good explanation of the
> syntax for matching TCP flags in nftables. In iptables a rule can be
> written like:
> -A TEST_BADFLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_BADFLAGS
>
> How do I do the equivalent in nftables? Also are we still able to use
> the "ALL" and "NONE" keywords?

So a quick preamble. The iptables command and structure didn't include 
basic math support because the engine didn't have any sort of expression 
evaluation.

So in iptables the tow expressions are (first) the mask to bitwise-and 
with the actual flags, then (second) the expected result.

So --tcpflags M R is the same as "if ((packet_flags & M) == R) then"

In nftables you write that out as an actual expression.

So "tcp flags & (syn|fin) == syn|fin"

Which is "fetch tcp flags", make a bitwise or of syn and fin bits, use 
that value as a mask to ingore other bits, now make a bitwise or of syn 
and fin again, finally compare the two values and make sure they are equal.

Now the front-end is going to compile this into "flags & 0x03 == 0x03", 
which is exactly the sort of thing that the iptables match did so WTF 
amirite?

Since the nft system basically introduces a limited mathematical context 
you can use other expressions. Not equal and less-than and so on.

So lets say you want a counter of all the tcp packets with "exotic" flags.

thats "tcp flags ge urg counter"

This will catch any packet with urg, ecn, or cwr set regardless of any 
other flags also set.

So the math context relieves you of the strict equality test in the 
iptables version, but it's a hair more hands-on in terms of knowing how 
boolean expressions work in C-like languages.

--Rob.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]