How to match both UDP and TCP for given ports in one line with nftables
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
add a comment |Â
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
How can i do this in a single line?
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
linux configuration firewall netfilter nftables
asked Jun 6 at 13:49
Persian
6061921
6061921
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet
(dual ip
/ip6
) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport
is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp
and udp
can be used by their symbolic name, It appears that dns
must be stated as 53
not dns
, I can only imagine that's because dns/tcp
and dns/udp
(or domain
see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip
table and chains and replace inet
with ip
.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft
's man page, alas, that example doesn't work: dns
and http
have to be replaced with 53
and 80
(and anyway some distributions/versions might have required domain
instead of dns
).
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet
(dual ip
/ip6
) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport
is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp
and udp
can be used by their symbolic name, It appears that dns
must be stated as 53
not dns
, I can only imagine that's because dns/tcp
and dns/udp
(or domain
see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip
table and chains and replace inet
with ip
.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft
's man page, alas, that example doesn't work: dns
and http
have to be replaced with 53
and 80
(and anyway some distributions/versions might have required domain
instead of dns
).
add a comment |Â
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet
(dual ip
/ip6
) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport
is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp
and udp
can be used by their symbolic name, It appears that dns
must be stated as 53
not dns
, I can only imagine that's because dns/tcp
and dns/udp
(or domain
see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip
table and chains and replace inet
with ip
.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft
's man page, alas, that example doesn't work: dns
and http
have to be replaced with 53
and 80
(and anyway some distributions/versions might have required domain
instead of dns
).
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet
(dual ip
/ip6
) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport
is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp
and udp
can be used by their symbolic name, It appears that dns
must be stated as 53
not dns
, I can only imagine that's because dns/tcp
and dns/udp
(or domain
see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip
table and chains and replace inet
with ip
.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft
's man page, alas, that example doesn't work: dns
and http
have to be replaced with 53
and 80
(and anyway some distributions/versions might have required domain
instead of dns
).
For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.
So for the inet
(dual ip
/ip6
) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport
is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp
and udp
can be used by their symbolic name, It appears that dns
must be stated as 53
not dns
, I can only imagine that's because dns/tcp
and dns/udp
(or domain
see later) are in two different "protocol namespaces".
The resulting command is (additional single quotes or else escaping the double quotes is needed here):
# nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'
If you want it for IPv4 only, initialize the corresponding ip
table and chains and replace inet
with ip
.
Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft
's man page, alas, that example doesn't work: dns
and http
have to be replaced with 53
and 80
(and anyway some distributions/versions might have required domain
instead of dns
).
answered Jul 31 at 12:44
A.B
2,4751315
2,4751315
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448209%2fhow-to-match-both-udp-and-tcp-for-given-ports-in-one-line-with-nftables%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password