From: "Aurel Wisse" <nf@awisse.ca>
To: Eric <evil.function@proton.me>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables expressions and operators
Date: Mon, 06 Nov 2023 10:41:34 -0500 [thread overview]
Message-ID: <5632b8a7-086b-40f1-9c21-b1edab7d12d6@app.fastmail.com> (raw)
In-Reply-To: <X2O35_4Q47kM5H3VjpNF-lwnTiykyG7DN7EUFegqHKDH-OW-eHGVhsHOyH1F6hQ35mjsN56xJSJSOTIoFFqz0dHZIsy4CCoHSoqEtanfgn4=@proton.me>
Thank you Eric. Very helpful indeed in order to better understand exported existing rules.
On Mon, Nov 6, 2023, at 10:28, Eric wrote:
> On Monday, November 6th, 2023 at 06:24, Aurel Wisse <nf@awisse.ca> wrote:
>> Thank you for the quick answer. That explains part of it. Still,
>>
>> `tcp flags & (fin|syn|rst|ack) != syn` becomes
>> `tcp != syn / fin,syn,rst,ack`
>>
>> and both expressions are interpreted as equal after parsing. Can you please point me to any documentation of operator expression syntax/precedence ?
>
> This is not the answer you're looking for, but it may help...
>
> When I was first learning nft expressions I found it most helpful to
> dump various rules in json format, where it's really easy to see the
> expressions in the abstract syntax tree, and compare that with both the
> input and output forms. Also, you can clearly see the statements after
> the "match" entries, like "counter", "set", "jump" and so on nicely
> separated.
>
> (Oh, and in your OP, the "*logical* or/and" should be "*bitwise*
> or/and", as the "flags" are a bit mask.)
>
> Input - if you don't have this form, then the json is far more
> enlightening:
> tcp flags & (fin | syn | rst | ack) == syn jump syn_flood
> comment "Rate limit TCP syn packets"
>
> Output (i.e., 'nft list ruleset | grep 'Rate limit TCP')
> tcp flags syn / fin,syn,rst,ack jump syn_flood comment "Rate limit
> TCP syn packets"
>
> $ nft -j list chain inet filter input | json_pp
> ...
> {
> "rule" : {
> "chain" : "input",
> "comment" : "Rate limit TCP syn packets",
> "expr" : [
> {
> "match" : {
> "left" : {
> "&" : [
> {
> "payload" : {
> "field" : "flags",
> "protocol" : "tcp"
> }
> },
> [
> "fin",
> "syn",
> "rst",
> "ack"
> ]
> ]
> },
> "op" : "==",
> "right" : "syn"
> }
> },
> {
> "jump" : {
> "target" : "syn_flood"
> }
> }
> ],
> "family" : "inet",
> "handle" : 210,
> "table" : "filter"
> }
> },
> ...
prev parent reply other threads:[~2023-11-06 15:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:11 nftables expressions and operators Aurel Wisse
2023-11-06 13:28 ` Pablo Neira Ayuso
2023-11-06 14:24 ` Aurel Wisse
2023-11-06 15:28 ` Eric
2023-11-06 15:41 ` Aurel Wisse [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5632b8a7-086b-40f1-9c21-b1edab7d12d6@app.fastmail.com \
--to=nf@awisse.ca \
--cc=evil.function@proton.me \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).