Bug#994273: Follow-up example

2021-10-07 Thread Jeremy Sowden 
On 2021-10-07, at 09:26:05 +1000, Harry STARR wrote:
> [...]
> And here is the nft -s list ruleset
> >>>
> root@y6:~ # nft -s list ruleset
> table ip filter {
> set bad_guys {
> type ipv4_addr
> size 65535
> counter
> timeout 31m
> }
>
> set black {
> type ipv4_addr
> size 65535
> flags interval
> counter
> elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 
> counter packets 0 bytes 0 }
> }
>
> set dns_black {
> type ipv4_addr
> size 65535
> counter
> timeout 1d
> elements = { 192.168.0.100 counter packets 0 bytes 0 expires 
> 22h58m48s84ms }
> }
>
> chain INPUT {
> type filter hook input priority filter; policy drop;
> ip saddr @bad_guys counter packets 0 bytes 0 drop
> ct state invalid counter packets 22 bytes 3204 drop
> ct state established,related counter packets 351 bytes 28667 
> accept
> iifname "lo" counter packets 0 bytes 0 accept
> ip saddr @black counter packets 0 bytes 0 drop
> ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
> iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 
> 8 bytes 2696 accept
> udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 
> drop
> tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 
> drop
> udp dport 53 counter packets 0 bytes 0 accept
> tcp dport 53 counter packets 0 bytes 0 accept
> fib daddr type multicast counter packets 0 bytes 0 drop
> add @bad_guys { ip saddr } log level debug counter packets 0 
> bytes 0 drop
> }
>
> chain FORWARD {
> type filter hook forward priority filter; policy accept;
> }
>
> chain OUTPUT {
> type filter hook output priority filter; policy accept;
> }
> }
> <<<
>
> NOTICE: in chain INPUT: the packet/bytes are still listed,
> and in the set listings, the packet/count values and expires time is
> listed.

Thanks.  It seems that the `stateless` flag gets lost in some
circumstances.  Compare this:

  $ sudo nft --stateless list ruleset
  table ip filter {
  [...]
  chain INPUT {
  type filter hook input priority filter; policy drop;
  ip saddr @bad_guys counter packets 92 bytes 49768 drop
  ct state invalid counter packets 0 bytes 0 drop
  ct state established,related counter packets 6281 bytes 
4373744 accept
  iifname "lo" counter packets 1 bytes 73 accept
  ip saddr @black counter packets 0 bytes 0 drop
  ip saddr 192.168.0.0/16 counter packets 142 bytes 39680 accept
  iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 
0 bytes 0 accept
  udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 
drop
  tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 
drop
  udp dport 53 counter packets 0 bytes 0 accept
  tcp dport 53 counter packets 0 bytes 0 accept
  fib daddr type multicast counter packets 1 bytes 73 drop
  add @bad_guys { ip saddr } log level debug counter packets 1 
bytes 576 drop
  }
  [...]
  }

with this:

  $ sudo nft --stateless list chain filter INPUT
  table ip filter {
  chain INPUT {
  type filter hook input priority filter; policy drop;
  ip saddr @bad_guys counter drop
  ct state invalid counter drop
  ct state established,related counter accept
  iifname "lo" counter accept
  ip saddr @black counter drop
  ip saddr 192.168.0.0/16 counter accept
  iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
  udp dport 53 ip saddr @dns_black counter drop
  tcp dport 53 ip saddr @dns_black counter drop
  udp dport 53 counter accept
  tcp dport 53 counter accept
  fib daddr type multicast counter drop
  add @bad_guys { ip saddr } log level debug counter drop
  }
  }

I'll send a patch upstream.

J.


signature.asc
Description: PGP signature

Bug#994273: Follow-up example

2021-10-06 Thread Harry STARR 
Here is my-nftables (used to instantiate the ruleset):
nft -f my-nftables

>>> my-nftables
flush ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
timeout 31m
counter
elements = { 192.168.0.101, 192.168.0.102,
 192.168.0.172 }
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4, 5.6.7.0/24 }
}

set dns_black {
type ipv4_addr
size 65535
timeout 1d
counter
elements = { 192.168.0.100 }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter drop
ct state invalid counter drop
ct state established,related counter accept
iifname "lo" counter accept
ip saddr @black counter drop
ip saddr 192.168.0.0/16 counter accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
udp dport 53 ip saddr @dns_black counter drop
tcp dport 53 ip saddr @dns_black counter drop
udp dport 53 counter accept
tcp dport 53 counter accept
fib daddr type multicast counter drop
add @bad_guys { ip saddr } log level debug counter drop
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}

<<<

Here is the nft list ruleset output:
>>>
root@y6:~ # nft list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 
counter packets 0 bytes 0 }
}

set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 
22h59m40s260ms }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 298 bytes 23763 
accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 
bytes 2696 accept
udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
udp dport 53 counter packets 0 bytes 0 accept
tcp dport 53 counter packets 0 bytes 0 accept
fib daddr type multicast counter packets 0 bytes 0 drop
add @bad_guys { ip saddr } log level debug counter packets 0 
bytes 0 drop
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
<<<

And here is the nft -s list ruleset
>>>
root@y6:~ # nft -s list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 
counter packets 0 bytes 0 }
}

set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 
22h58m48s84ms }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 351 bytes 28667 
accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16