nftables

Orac · 2021-09-17 05:52:31

Hi Guys,

I am wanting to create a firewall with nftables.

I have been looking at an example firewall on the Arch Linux wiki here.

https://wiki.archlinux.org/title/Nftables

I am wondering if someone could give me some info on this line here:

nft add rule inet my_table my_input 'meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump my_tcp_chain'

I can find no information on either the nftables wiki or the nftables man page on the usage of the "&" and "==" operators.

Does anyone know where this is documented?

I am trying to understand what that nftables rule actually does.

Thank you for your help.

seth · 2021-09-17 07:46:04

"flags & (fin|syn|rst|ack) == syn"
Of the fin, syn, rst and ack flags, only "syn" is there.

https://wiki.nftables.org/wiki-nftables … 10_minutes
https://www.geeksforgeeks.org/tcp-flags/

Orac · 2021-09-17 08:10:05

Hi Seth,

Thanks for your help.

nft add rule inet my_table my_input 'meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump my_tcp_chain'

I am just trying to understand the relevance of the other flags. If it is only the presence of the syn flag that results in the jump to my_tcp_chain couldn't you just write it this way?

nft add rule inet my_table my_input tcp flags == syn ct state new jump my_tcp_chain

Last edited by Orac (2021-09-17 08:26:31)

seth · 2021-09-17 12:30:24

l4proto: https://www.spinics.net/lists/netfilter/msg57618.html

If you look at https://www.geeksforgeeks.org/tcp-flags/ again, there're more than 4 flags.
So the first line matches syn|psh|urg while your second line will not match if there's a PSH or URG (or any other flag next to SYN)

Off topic: Please use code tags for better readability, https://bbs.archlinux.org/help.php#bbcode

Arch Linux

#1 2021-09-17 05:52:31

nftables

#2 2021-09-17 07:46:04

Re: nftables

#3 2021-09-17 08:10:05

Re: nftables

#4 2021-09-17 12:30:24

Re: nftables

Board footer