[Bug 1086] New: Nftables matching packet header fields and unexpected '(': wrong wiki info or bug?
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Sep 11 19:18:19 CEST 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1086
Bug ID: 1086
Summary: Nftables matching packet header fields and unexpected
'(': wrong wiki info or bug?
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: 1000.ontheroad at gmail.com
Official nftables "wiki", on the Matching-packet-header-fields section
(https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_header_fields),
suggests the following example to match packets with flags SYN and ACK set:
% nft -i
nft> add rule filter output tcp flags & (syn | ack) == (syn | ack) counter log
When putting it into practice, it fails:
<cli>:1:51-51: Error: syntax error, unexpected '('
add rule filter output tcp flags & (syn | ack) == (syn | ack) counter log
^
I've discovered a workaround, removing the second brackets:
nft> add rule filter output tcp flags & (syn | ack) == syn | ack counter log
NFT CLI seems to accept it. I did not check if it works, but I've set a similar
rule to block "Xmas scans" and, checked against a Hping3 scan (-UPF option), it
seems to work fine:
nft> add rule filter input tcp flags & (fin | syn | rst | psh | ack | urg) ==
fin | psh | urg log drop
Since I've watched that erroneus syntax on other Nftables tutorials around the
net, I guess it *did* work sometime in the past, but now it's broken.
Debian Testing/Strech
kernel 4.6.0-1-amd64
nftables 0.6-2
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160911/0032cd79/attachment.html>
More information about the netfilter-buglog
mailing list