[Bug 1368] New: The "meta's"

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Oct 7 07:52:29 CEST 2019 

https://bugzilla.netfilter.org/show_bug.cgi?id=1368

            Bug ID: 1368
           Summary: The "meta's"
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: tad1073 at gmail.com

#!/usr/bin/nftables -f


define g6dns = { 2001:4860:4860::8888, 2001:4860:4860::8844 }
define o4dns = { 208.67.222.222, 208.67.220.220 }
define o6dns = { 2620:119:35::35, 2620:119:53::53 }
define myIPv4 = <filtered>
define myIPv6 = <filtered>
flush ruleset

table inet filter {
  set dns4 {
    type ipv4_addr;
    elements = { $g4dns, $o4dns }
    }

  set dns6 {
    type ipv6_addr;
    elements = { $g6dns, $o6dns }
    }

  set smb {
    type inet_service;
    elements = { 137, 138, 139, 445 }
    }


   chain global {
    ct direction original counter accept
    ct state { established, related } counter accept
    ct status confirmed counter accept
    ct state { invalid, untracked } counter jump global_drop
    counter drop


  chain global_dns {
   ct direction original counter accept
   ct state { established, related } counter accept
   ct status { expected, assured, confirmed } counter accept
   ct state { invalid, untracked } counter jump global_drop
   counter drop

 chain input {
  type filter hook input priority 0; policy drop;
  jump global_dns
  meta protocol { ip, ip6 } saddr { @dns4, @dns6 } daddr { $myIPv4, myIPv6 }
jump global_dns
  meta l4proto { tcp, udp } @ht,16,16 @dns jump global_dns
  meta l4proto { tcp, udp } @ht,16,16 { http, https, proxy, @smb, }jump global  
  }
}

The above is how I think it should work but it doesn't.



Reference "https://www.netfilter.org/projects/nftables/manpage.html"

Reference
"https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta"

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/4c5137fc/attachment.html>

More information about the netfilter-buglog mailing list