inet table family and ip saddr expression

Question

inet table family and ip saddr expression

joewilliams opened this issue 2 years ago · 2 comments

Hello, I am having an issue and can't quite determine what's going wrong. I have a TableFamilyINet table and a TypeIPAddr set and a rule where I am attempting to drop packets based on source address.

			&expr.Payload{
				DestRegister: 1,
				Base:         expr.PayloadBaseNetworkHeader,
				Offset:       12, 
				Len:          4,
			},

The resulting nftables output is:

table inet filter {
	set blocklistv4 {
		type ipv4_addr
		elements = { 1.1.1.1, 2.2.2.2,
			     3.3.3.3, 4.4.4.4,
			     5.5.5.5 }
	}

	chain blocklist {
		@nh,96,32 @blocklistv4 drop
	}
}

This doesn't block anything and I would have expected ip saddr @blocklist drop. Changing the table family to IPv4 fixes it. I assume @nh is referring to the header, 96 is an offset and 32 is how many bytes. Am I missing something with how the expression should be created so that it can work with INet?

Answer 1 · 2022-10-13T11:59:17.000Z

Specifically for the inet table, try matching the protocol with meta + nfproto:

&expr.Meta{Key: expr.MetaKeyNFPROTO, Register: 1}
&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.NFPROTO_IPV4}}
&expr.Payload{...}

Answer 2 · 2022-10-13T15:38:55.000Z

@gustavo-iniguez-goya bingo! That fixed it, thank you!