Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved ... moving on] nftables: and, or, not for match?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Fri Apr 14, 2017 9:54 pm    Post subject: [solved ... moving on] nftables: and, or, not for match? Reply with quote

Using gotos, I can cruft together performing action(s) only if conditions are true, and alternatively only if condition(s) are false (which gives me a Schaefer set so that nftables becomes useful).

Although there is surely a way without using gotos, my tired old eyes have not recognized it in tfm. :oops:


Last edited by dpaddy on Sat Apr 15, 2017 5:48 pm; edited 3 times in total
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Fri Apr 14, 2017 10:24 pm    Post subject: Reply with quote

I'm calling it a day... will proceed with goto's, although it is nearly beyond belief that a matching language has left out "and", "or", and "not" :o
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Sat Apr 15, 2017 10:15 am    Post subject: Reply with quote

I can appreciate that execution speed, ease of implementation, and ease of maintenance (of nftables) could be reasons for leaving out a logic parser. Anyhow, expressing the logic expression in disjunctive normal form makes it particularly well suited for using "continue" statements, so a well-structured set of rules implements any compound logic :D
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Sat Apr 15, 2017 1:33 pm    Post subject: Reply with quote

Don't know what I was thinking regarding "continue" statements...
The more I think about nftables and the more I read the "documentation", the more I realize I have no clue about what "continue" is good for.

ON A RELATED SUBJECT:
I have no idea of what the match semantics is of syntax commonly found in example rules (that is not for lack of effort; I have read tfm -- though my tired eyes could have overlooked key points).
The example
Quote:
You can also match traffic based on the IPv4 source and destination, the following example shows how to account all traffic that comes from 192.168.1.100 and that is addressed to 192.168.1.1:

% nft add rule filter input ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter
suggests an implied "and" between "ip saddr 192.168.1.100" and "ip daddr 192.168.1.1", whereas the example
Quote:
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp dport 111 tcp dport 222 goto other-chain
suggests an implied "or" between "tcp dport 111" and "tcp dport 222" -- or can a packet simultaneously have two destination ports (beats me)?

I have been unable to find explanation for implied "ands" (if any), "ors" (if any), "nots" (if any), grouping-and-precedence (if any) in rules, neither have I been able to locate clear unambiguous specification of semantics w.r.t. control flow within a rule. I'ld like to believe it is all "ands" (so grouping is a non-issue), but it would be nice to see that in documentation.

Anyone know of good documentation which explicitly addresses such things :?: Such things are, after all, important :!:
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Sat Apr 15, 2017 2:15 pm    Post subject: Reply with quote

I'm going to assume nftables is essentially a wrapper providing syntactic sugar for iptables... that (assumption) has the advantage of enlarging the collection of available documentation.
While realizing that nftables -- even if conforming to my assumption -- may mess with the rule semantics of iptables, at this point I'm desparate and eager to get on with things...

Accordingly, http://homes.di.unimi.it/sisop/qemu/iptables-tutorial.pdf seems (so far) a good read. :wink:
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13975

PostPosted: Sat Apr 15, 2017 3:04 pm    Post subject: Reply with quote

dpaddy wrote:
can a packet simultaneously have two destination ports (beats me)?
No, but you might want to write a single rule that can match multiple logically related types of traffic. For example, if you run an http/https web server and you want to use a firewall to limit the addresses which can talk to it, it might make sense to have one stage be (tcp.port == 80 || tcp.port == 443), so that later stages run only for incoming http/https, but not incoming smtp. The latter stage would then implement the IP-based whitelist (or logging, or rate-limiting, etc.).
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5854

PostPosted: Sat Apr 15, 2017 7:14 pm    Post subject: Reply with quote

This is "or" syntax:
Code:
tcp dport { 80, 443 }
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum