Difference between revisions of "Matching packet headers"

From nftables wiki
Jump to navigation Jump to search
m (fix syntax for tcp flag bit matching)
(→‎Matching IPv6 header fields: typo, fix consistency with the example)
(9 intermediate revisions by 2 users not shown)
Line 9: Line 9:
</source>
</source>


= Maching Ethernet header fields =
= Matching Ethernet header fields =


If you want to match ethernet traffic whose destination address is ff:ff:ff:ff:ff:ff, you can type the following command:
If you want to match ethernet traffic whose destination address is ff:ff:ff:ff:ff:ff, you can type the following command:
Line 34: Line 34:
= Matching IPv6 header fields =
= Matching IPv6 header fields =


If you want to account IPv6 traffic that is addressed to ''abdc::100'', you can type the following command:
If you want to account IPv6 traffic that is addressed to ''abcd::100'', you can type the following command:


<source lang="bash">
<source lang="bash">
Line 46: Line 46:
</source>
</source>


Do not forget to create an ''ip6'' [[Configuring tables|table]] and register the corresponding [[Configuring chains|chains]] to run the example below:
Do not forget to create an ''ip6'' [[Configuring tables|table]] and register the corresponding [[Configuring chains|chains]] to run the examples.
 
NOTE: the syntax mixing IPv6/IPv4 notation is not supported yet: '::ffff:192.168.1.0'


= Matching TCP/UDP/UDPlite traffic =
= Matching TCP/UDP/UDPlite traffic =


The following examples shows how to drop all tcp traffic for low TCP ports (1-1024):
The following examples show how to drop all tcp traffic for low TCP ports (1-1024):


<source lang="bash">
<source lang="bash">
Line 58: Line 60:
Note that this rule is using an [[intervals|interval]] (from 1 to 1024).
Note that this rule is using an [[intervals|interval]] (from 1 to 1024).


To match on TCP flags, you need to use binary operation. For example, to count packet that are not SYN one:
To match on TCP flags, you need to use a binary operation. For example, to count packets that are not SYN ones:


<source lang="bash">
<source lang="bash">
Line 64: Line 66:
</source>
</source>


More complex filters can be used. For example, to count and log TCP packet with flag SYN and ACK set:
More complex filters can be used. For example, to count and log TCP packets with flags SYN and ACK set:


<source lang="bash">
<source lang="bash">
% nft -i
% nft -i
nft> add rule filter output tcp flags & (syn | ack) == syn | ack counter log
nft> add rule filter output tcp flags & (syn | ack) == syn | ack counter log
</source>
This example drops TCP SYN packets which a MSS lower than 500:
<source lang="bash">
% nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop
</source>
</source>


= Matching ICMP traffic =
= Matching ICMP traffic =


You can drop all ICMP echo request (popularly known as ''ping'') via:
You can drop all ICMP echo requests (popularly known as ''pings'') via:


<source lang="bash">
<source lang="bash">
Line 94: Line 102:
* address-mask-request
* address-mask-request
* address-mask-reply
* address-mask-reply
= Matching UDP/TCP headers in the same rule =
Matching several transport protocols in a single rule is a new feature of nftables that wasn't present in iptables.
The following example matches the tcp/udp port 53 in the transport header:
<source lang="bash">
% nft add rule filter input meta l4proto { tcp, udp } @th,16,16 53 counter packets 0 bytes 0 accept comment \"accept DNS\"
</source>

Revision as of 15:57, 30 July 2019

The nft command line utility supports the following layer 4 protocols: AH, ESP, UDP, UDPlite, TCP, DCCP, SCTP and IPComp.

Matching transport protocol

The following rule shows how to match any kind of TCP traffic:

% nft add rule filter output ip protocol tcp

Matching Ethernet header fields

If you want to match ethernet traffic whose destination address is ff:ff:ff:ff:ff:ff, you can type the following command:

% nft add rule filter input ether daddr ff:ff:ff:ff:ff:ff counter

Do not forget that the layer 2 header information is only available in the input path.

Matching IPv4 header fields

You can also match traffic based on the IPv4 source and destination, the following example shows how to account all traffic that comes from 192.168.1.100 and that is addressed to 192.168.1.1:

% nft add rule filter input ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter

Note that, since the rule is attached to the input chain, your local machine needs to use the 192.168.1.1 address, otherwise you won't see any matching ;-).

To filter on a layer 4 protocol like TCP, you can use the protocol keyword:

% nft add rule filter input protocol tcp counter

Matching IPv6 header fields

If you want to account IPv6 traffic that is addressed to abcd::100, you can type the following command:

% nft add rule filter output ip6 daddr abcd::100 counter

To filter on a layer 4 protocol like TCP, you can use the nexthdr keyword:

% nft add rule filter input ip6 nexthdr tcp counter

Do not forget to create an ip6 table and register the corresponding chains to run the examples.

NOTE: the syntax mixing IPv6/IPv4 notation is not supported yet: '::ffff:192.168.1.0'

Matching TCP/UDP/UDPlite traffic

The following examples show how to drop all tcp traffic for low TCP ports (1-1024):

% nft add rule filter input tcp dport 1-1024 counter drop

Note that this rule is using an interval (from 1 to 1024).

To match on TCP flags, you need to use a binary operation. For example, to count packets that are not SYN ones:

% nft add rule filter input tcp flags != syn counter

More complex filters can be used. For example, to count and log TCP packets with flags SYN and ACK set:

% nft -i
nft> add rule filter output tcp flags & (syn | ack) == syn | ack counter log

This example drops TCP SYN packets which a MSS lower than 500:

% nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

Matching ICMP traffic

You can drop all ICMP echo requests (popularly known as pings) via:

% nft add rule filter input icmp type echo-request counter drop

Here is the list of available icmp types:

  • echo-reply
  • destination-unreachable
  • source-quench
  • redirect
  • echo-request
  • time-exceeded
  • parameter-problem
  • timestamp-request
  • timestamp-reply
  • info-request
  • info-reply
  • address-mask-request
  • address-mask-reply

Matching UDP/TCP headers in the same rule

Matching several transport protocols in a single rule is a new feature of nftables that wasn't present in iptables.

The following example matches the tcp/udp port 53 in the transport header:

% nft add rule filter input meta l4proto { tcp, udp } @th,16,16 53 counter packets 0 bytes 0 accept comment \"accept DNS\"