How to match both UDP and TCP for given ports in one line with nftables
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
asked Jun 6 at 13:49
Persian
6061921
add a comment |Â
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
asked Jun 6 at 13:49
Persian
6061921
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
asked Jun 6 at 13:49
Persian
6061921
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
asked Jun 6 at 13:49
Persian
6061921
asked Jun 6 at 13:49
Persian
6061921
asked Jun 6 at 13:49
Persian
6061921
asked Jun 6 at 13:49
Persian
6061921
6061921
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).
answered Jul 31 at 12:44
A.B
2,4751315
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).
answered Jul 31 at 12:44
A.B
2,4751315
add a comment |Â
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).
answered Jul 31 at 12:44
A.B
2,4751315
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).
answered Jul 31 at 12:44
A.B
2,4751315
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).
answered Jul 31 at 12:44
A.B
2,4751315
answered Jul 31 at 12:44
A.B
2,4751315
answered Jul 31 at 12:44
A.B
2,4751315
answered Jul 31 at 12:44
A.B
2,4751315
2,4751315
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448209%2fhow-to-match-both-udp-and-tcp-for-given-ports-in-one-line-with-nftables%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
