Skip to content

Adding rules in code produces different results and logs than the rules I added directly from the command line #247

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Adding rules in code produces different results and logs than the rules I added directly from the command line#247
@xlango

Description

@xlango
xlango
opened on Nov 9, 2023

When i used command lines
{
nft add table ip filter
nft add chain ip filter output { type filter hook output priority 0; }
nft add set filter ipSet { type ipv4_addr ; flags interval;}
nft add element ip filter ipSet {10.34.11.179}
nft add set filter portSet { type inet_service ; flags interval;}
nft add element ip filter portSet {1234}
nft add rule ip filter output ip daddr @ipSet tcp dport @portSet counter log drop
}

to add a rule related to set, it worked correctly.
But when i used nftables-main to add a similar rule, it blocked tcp flow to "127.0.0.1" too.
The code is :
func main() {
c, err := nftables.New()
if err != nil {
return
}

c.FlushRuleset()

filter := c.AddTable(&nftables.Table{
	Family: nftables.TableFamilyIPv4,
	Name:   "filter",
})

input := c.AddChain(&nftables.Chain{
	Name:     "output",
	Hooknum:  nftables.ChainHookOutput,
	Priority: nftables.ChainPriorityFilter,
	Table:    filter,
	Type:     nftables.ChainTypeFilter,
})
ipSet := &nftables.Set{
	Name:"ipSet",
	Table:     filter,
	Interval:      true,
	Concatenation: true,
	KeyType:   nftables.TypeIPAddr,
}
if err := c.AddSet(ipSet, []nftables.SetElement{
	{
		Key: []byte(net.ParseIP("10.34.11.179").To4()),
		KeyEnd: []byte(net.ParseIP("10.34.11.180").To4()),
	},
}); err != nil {
	return
}

portSet := &nftables.Set{
	Name:"portSet",
	Table:     filter,
	Interval:      true,
	Concatenation: true,
	KeyType:    nftables.TypeInetService,
}

if err := c.AddSet(portSet, []nftables.SetElement{
	{
		Key: binaryutil.BigEndian.PutUint16(1234),
		KeyEnd:binaryutil.BigEndian.PutUint16(1235),
	},
}); err != nil {
	return
}

c.AddRule(&nftables.Rule{
	Table: filter,
	Chain: input,
	Exprs: []expr.Any{
		&expr.Payload{
			DestRegister: 1,
			Base:         expr.PayloadBaseNetworkHeader,
			Offset:       16,
			Len:          4,
		},

		&expr.Lookup{
			SourceRegister: 1,
			SetName:        ipSet.Name,
			SetID:          ipSet.ID,
		},

		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
		&expr.Cmp{
			Op:       expr.CmpOpEq,
			Register: 1,
			Data:     []byte{unix.IPPROTO_TCP},
		},

		&expr.Payload{
			DestRegister: 1,
			Base:         expr.PayloadBaseTransportHeader,
			Offset:       2,
			Len:          2,
		},

		&expr.Lookup{
			SourceRegister: 1,
			SetName:        portSet.Name,
			SetID:          portSet.ID,
		},

		&expr.Counter{},
		&expr.Log{},
		&expr.Verdict{
			Kind: expr.VerdictDrop,
		},
	},
})
if err := c.Flush(); err != nil {
	return
}

}

log
0a1fe720dba7af5505639d0a97611d6

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions