Skip to content

Commit

Permalink
revert usage of nftables sets for dport
Browse files Browse the repository at this point in the history
  • Loading branch information
@mwindower
mwindower committed Jun 17, 2020
1 parent eeedea4 commit b9839aa
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
3 changes: 2 additions & 1 deletion internal/netconf/testdata/nftrules.v4
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ table ip metal {
iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0"
iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1"
tcp dport ssh ct state new counter accept comment "SSH incoming connections"
ip saddr 10.0.0.0/8 tcp dport { 9100, 9630 } counter accept comment "firewall metrics"

This comment has been minimized.

Sign in to view

Copy link
@majst01

majst01 Jun 17, 2020

Contributor

Why did this not work ?

This comment has been minimized.

Sign in to view

Copy link
@mwindower

mwindower Jun 18, 2020

Author Contributor

I have no idea... the error was "no such file / device". Another reason for nftable rule validation in a golang test.

This comment has been minimized.

Sign in to view

Copy link
@majst01

majst01 Jun 18, 2020

Contributor

Still trying, not so easy...

This comment has been minimized.

Sign in to view

Copy link
@majst01

majst01 Jun 18, 2020

Contributor

But according to: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
this must be possible, example from there:

tcp sport { 33, 55, 67, 88}

This comment has been minimized.

Sign in to view

Copy link
@majst01

majst01 Jun 18, 2020

Contributor

nft versions:

  • debian-10: 0.9.0
  • ubuntu-19.10: 0.9.2
  • ubuntu-20.04. 0.9.3

latest from upstream: 0.9.6

This comment has been minimized.

Sign in to view

Copy link
@majst01

majst01 Jun 18, 2020
edited
Loading

Contributor

I think we have to create a set for this like:

	set exporter_ports {
		type inet_service
		flags interval
		elements = { 9100, 9630 }
	}
        ip saddr 10.0.0.0/8 tcp dport @exporter_ports counter accept comment "firewall metrics"

good reference is in the nft source:
http://git.netfilter.org/nftables/tree/tests/shell/testcases/sets/0001named_interval_0
ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
counter jump refuse
}
Expand Down
3 changes: 2 additions & 1 deletion internal/netconf/tpl/rules.v4.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ table ip metal {
iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0"
iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1"
tcp dport ssh ct state new counter accept comment "SSH incoming connections"
ip saddr 10.0.0.0/8 tcp dport { 9100, 9630 } counter accept comment "firewall metrics"
ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
counter jump refuse
}
Expand Down

0 comments on commit b9839aa

Please sign in to comment.