关于 nftables chain 优先级的问题 - V2EX
首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
yaott2020
V2EX    问与答

关于 nftables chain 优先级的问题

  •   
  •   yaott2020 2022-03-30 19:00:44 +08:00 1903 次点击
    这是一个创建于 1293 天前的主题,其中的信息可能已经有所发展或是发生改变。

    现在有以下规则:

    table inet filter2 { # handle 39 set iplist4 { # handle 3 type ipv4_addr } set iplist6 { # handle 4 type ipv6_addr } chain filter { # handle 12 type filter hook input priority filter + 1; policy accept; ip saddr @iplist4 accept # handle 13 ip6 saddr @iplist6 accept # handle 14 drop # handle 16 } } table ip default_filter { # handle 42 chain filter { # handle 4 type filter hook input priority filter; policy accept; tcp dport 8092 accept # handle 5 } }

    若是按上面设置,则无法访问 TCP 8092 端口,去掉 filter2 == filter == drop 规则后,TCP 8092 端口访问正常

    请教:priority 设置优先级且数字越小优先级越高,而按照我的设置则无法屏蔽所有端口(除 TCP 8092 外),请问我哪里设置错了

  • handle
  • filter
  • Accept
  • TCP
    9 条回复    2022-03-31 18:58:00 +08:00
    24owls
        1
    24owls  
       2022-03-30 20:18:03 +08:00
    nft(8) -> STATEMENTS -> VERDICT STATEMENT -> accept

    Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline.

    注意最后一小句
    plko345
        2
    plko345  
       2022-03-30 21:21:52 +08:00 via Android
    nftables 好用吗?学了些,一直没用,还在用 iptables
    yaott2020
        3
    yaott2020  
    OP
       2022-03-30 21:25:11 +08:00
    那如何终止匹配后面的呢
    yaott2020
        4
    yaott2020  
    OP
       2022-03-30 21:25:49 +08:00
    @plko345 比 iptables 复杂一些,不太好学
    24owls
        5
    24owls  
       2022-03-30 21:59:59 +08:00
    > 那如何终止匹配后面的呢

    没什么特别好的办法,要么把它们放到或连到同一个 base chain 上,要么先在低优先级 chain 上做个 mark 再在高优先级上根据 mark 价格特殊情况
    yaott2020
        6
    yaott2020  
    OP
       2022-03-30 22:03:20 +08:00
    @24owls 感觉 accept 这么设置好蠢啊,算了,还是打 mark 再说吧
    yaott2020
        7
    yaott2020  
    OP
       2022-03-30 22:18:02 +08:00
    好心累,还是不行

    ```
    table inet default { # handle 47
    chain filter { # handle 1
    type filter hook input priority filter; policy accept;
    tcp dport 8092 meta mark set 0x000000fb # handle 4
    }
    }
    table inet SafeFortress { # handle 49
    set iplist4 { # handle 2
    type ipv4_addr
    flags interval
    }

    set iplist6 { # handle 3
    type ipv6_addr
    flags interval
    }

    chain filter { # handle 1
    type filter hook input priority filter + 1; policy accept;
    meta mark 0x000000fb return # handle 4
    ip saddr @iplist4 accept # handle 5
    ip6 saddr @iplist6 accept # handle 6
    drop # handle 7
    }
    }
    ```
    24owls
        8
    24owls  
       2022-03-30 22:55:04 +08:00
    @yaott2020 你上面的配置还有一个更大的问题,这条规则 inet SafeFortress filter drop # handle 7 同时还把对端的 TCP packet 给 drop 了

    你还得要么把对端 IP 加到允许的 IP 列表,要么允许 tcp sport 8092 通过,要么允许 ct state { established, related } 通过
    yaott2020
        9
    yaott2020  
    OP
       2022-03-31 18:58:00 +08:00 via Android
    放弃了。。。还是 iptables 好用
    关于     帮助文档     自助推广系统     博客     API     FAQ     Solana     971 人在线   最高记录 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 25ms UTC 19:02 PVG 03:02 LAX 12:02 JFK 15:02
    Do have faith in what you're doing.
    ubao snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86