How to match both UDP and TCP for given ports in one line with nftables

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












How can i do this in a single line?



tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"






share|improve this question























    up vote
    0
    down vote

    favorite
    1












    How can i do this in a single line?



    tcp dport 53 counter accept comment "accept DNS"
    udp dport 53 counter accept comment "accept DNS"






    share|improve this question





















      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      How can i do this in a single line?



      tcp dport 53 counter accept comment "accept DNS"
      udp dport 53 counter accept comment "accept DNS"






      share|improve this question











      How can i do this in a single line?



      tcp dport 53 counter accept comment "accept DNS"
      udp dport 53 counter accept comment "accept DNS"








      share|improve this question










      share|improve this question




      share|improve this question









      asked Jun 6 at 13:49









      Persian

      6061921




      6061921




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.



          So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".



          The resulting command is (additional single quotes or else escaping the double quotes is needed here):



          # nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'


          If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.



          Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).






          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448209%2fhow-to-match-both-udp-and-tcp-for-given-ports-in-one-line-with-nftables%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote



            accepted










            For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.



            So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".



            The resulting command is (additional single quotes or else escaping the double quotes is needed here):



            # nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'


            If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.



            Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).






            share|improve this answer

























              up vote
              1
              down vote



              accepted










              For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.



              So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".



              The resulting command is (additional single quotes or else escaping the double quotes is needed here):



              # nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'


              If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.



              Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).






              share|improve this answer























                up vote
                1
                down vote



                accepted







                up vote
                1
                down vote



                accepted






                For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.



                So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".



                The resulting command is (additional single quotes or else escaping the double quotes is needed here):



                # nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'


                If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.



                Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).






                share|improve this answer













                For the sake of telling it's possible (but probably not that useful), yes it's possible, using a recent enough nftables and a raw payload expression.



                So for the inet (dual ip/ip6) table, you have to first filter the right level 4 protocol (here TCP=6 and UDP=17) using a set, then filter the port 53. That's handy, TCP and UDP have the same location for the destination port in their respective format. dport is expressed as the offset of the destination port in the TCP/UDP part of the packet: 16 bits, with a size of 16 bits as seen in the previous links. While tcp and udp can be used by their symbolic name, It appears that dns must be stated as 53 not dns, I can only imagine that's because dns/tcp and dns/udp (or domain see later) are in two different "protocol namespaces".



                The resulting command is (additional single quotes or else escaping the double quotes is needed here):



                # nft 'add rule inet filter input meta l4proto tcp, udp @th,16,16 53 counter accept comment "accept DNS"'


                If you want it for IPv4 only, initialize the corresponding ip table and chains and replace inet with ip.



                Please also note that almost the same is given as example in the 0.8.3 release notes and is now included in nft's man page, alas, that example doesn't work: dns and http have to be replaced with 53 and 80 (and anyway some distributions/versions might have required domain instead of dns).







                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered Jul 31 at 12:44









                A.B

                2,4751315




                2,4751315






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448209%2fhow-to-match-both-udp-and-tcp-for-given-ports-in-one-line-with-nftables%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?