'Re: wiki documentation error'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: wiki documentation error
From:       Eric <evil.function () proton ! me>
Date:       2023-06-25 21:50:44
Message-ID: om-be6P8E-nyvhRJhp7MDC0HyKHBqwlh1Ln3q4CJCTnJSXPdwyfOlF9LjVEq42Dl6jNSX7Otwlu329rv1cudQcWn4AOUWXTF2RjMkRf9eto= () proton ! me
[Download RAW message or body]

On Sunday, June 25th, 2023 at 14:04, Kerin Millar <kfm@plushkava.net> wrote:


> On Sun, 25 Jun 2023 14:45:21 +0800
> Michael Deegan michael@deegan.id.au wrote:
> 
> > Hello,
> > 
> > (please CC me on replies, I'm not subscribed)
> > 
> > It looks like I'm the first to attempt cutting and pasting the ruleset from
> > https://wiki.nftables.org/wiki-nftables/index.php?title=Simple_ruleset_for_a_home_router,
> >  as it...doesn't work. :P
> > 
> > The main problem is this line:
> > 
> > ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : \
> > accept, udp . 67 : accept}
> 
> 
> The syntax of the ruleset is valid. Please ensure that you have not inadvertently \
> introduced a linefeed character anywhere within a given set element (immediately \
> before or after a comma is fine). Also, please convey the error message that you \
> are encountering.

Yup, like Kerin says, works for me (I picked the 'input' chain just because it's \
easy).

$ nft --version
nftables v1.0.7 (Old Doc Yak)

~$ nft -e add rule inet fw4 input 'ip protocol . th dport vmap { tcp . 22 : accept, \
udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}' add rule inet fw4 input ip \
protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, \
udp . 67 : accept } # new generation 83 by process 6770 (nft)

$ nft list chain inet fw4 input
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
... trimmed the noise ...
                ip protocol . th dport vmap { tcp . 22 : accept, tcp . 53 : accept, \
udp . 53 : accept, udp . 67 : accept }  }
}

To decipher the parts of the match expression, this might help (scan for "transport \
header").

https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers

The rule is basically saying, "if the packet is IPv4, then concatenate the protocol \
and port from the transport header, use that as a key into the verdict map."


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic