Blog

TCP Header Expressions

Content #

Expression Description
ackseq Acknowledgment number
checksum Checksum of the packet
doff Data offset
dport Port to which the packet is destined
flags TCP flags
sequence Sequence number
sport Port from which the packet originated
urgptr Urgent pointer value
window TCP window value

From #

Payload Expressions for IPv4

Content #

Expression Description
checksum Checksum of the IP header
daddr Destination IP address
frag-off Fragmentation offset
hdrlength Length of the IP header, including options
id IP identifier
length Total length of the packet
protocol Protocol in use at the layer above IP
saddr Source IP address
tos Type of Service value
ttl Time to Live value
version IP header version, which will always be 4 for IPv4 expressions

From #

Conntrack expressions

Content #

Conntrack expressions are included with the keyword ct followed by one of these options:

  • daddr
  • direction
  • expiration
  • helper
  • l3proto
  • mark
  • protocol
  • proto-src
  • proto-dst
  • saddr
  • state
  • status

state expression #

Enables information about the packet to be recorded so that the processing rule will have context about the ongoing exchange of related traffic.

  • new A new packet arriving at the firewall, a TCP packet with the SYN flag set, for example.
  • established A packet that’s part of a connection that’s already being processed or tracked
  • invalid A packet that doesn’t conform to protocol rules
  • related A packet that’s related to a connection for a protocol that doesn’t use other means to track its state, such as ICMP or passive FTP
  • untracked An administrative state used for bypassing connection tracking, typically used in special cases only

allow established and related SSH connections.

...

Meta Expressions in nftables

Content #

Expression Description
iif Index of the interface that received the packet
iifname Name of the interface on which the packet was received
iiftype Type of interface on which the packet was received
length Length of the packet in bytes
mark The packet mark
oif Index of the interface that will output the packet
oifname Name of the interface on which the packet will be sent
oiftype Type of interface on which the packet will be sent
priority The TC packet priority
protocol The EtherType protocol
rtclassid Routing realm for the packet
skgid Group identifier of the originating socket
skuid User identifier of the originating socket

From #

Rule Syntax(nftables)

Commands #

{add | insert} rule [family] table chain [handle handle | index index] statement ... [comment comment]

replace rule [family] table chain handle handle statement ... [comment comment]

delete rule [family] table chain handle handle

Statements and verdicts #

  1. accept Accept the packet and stop processing.
  2. continue Continue processing the packet.
  3. drop Stop processing and silently drop the packet.
  4. goto Send processing to the specified chain but don’t return to the calling chain.
  5. jump Send processing to the specified chain and return to the calling chain when done or when a return statement is executed.
  6. limit Process the packet according to the rule if the limit of matching received packets has been reached.
  7. log Log the packet and continue processing.
  8. queue Stop processing and send the packet to the user-space process.
  9. reject Stop processing and reject the packet.
  10. return Send processing back to the calling chain.

nftables uses payload expressions and meta expressions #

Payload expressions are those that are gathered from packet information. For instance, there are certain header expressions such as sport and dport (source port and destination port, respectively) that apply to TCP and UDP packets and don’t make sense at the IPv4 and IPv6 layer since those layers don’t use ports. Payload Expressions for IPv4 TCP Header Expressions

...

Chain Syntax(nftables)

Content #

{add | create} chain [family] table chain [{
    type type hook hook [device device] priority priority ;
    [policy policy ;]
    [comment comment ;]
}]

{delete | list | flush} chain [family] table chain

list chains [family]

delete chain [family] table handle handle

rename chain [family] table chain newname

When operating on a chain, there are six commands available:

  1. add - Add a chain to a table.
  2. create - Create a chain within a table unless a chain with the same name already

exists.

...

Table Syntax(nftables)

Content #

{add | create} table [family] table [ {comment comment ;} { flags 'flags ; }]
{delete | list | flush} table [family] table
list tables [family]
delete table [family] handle handle

There are four commands available when working with a table:

  1. add - Add a table.
  2. delete - Delete a table.
  3. list - Display all of the chains and rules for a table.
  4. flush - Clear all chains and rules in a table.

list which tables are available:

...

Hooks in inet families

Content #

For the ip, ip6, and inet families the following hooks apply:

  1. prerouting Packets that have just arrived and haven’t yet been routed or processed by other parts of nftables.
  2. input Incoming packets that have been received and sent through the prerouting hook.
  3. forward If the packet will be sent to a different device, it will be available through the forward hook.
  4. output Packets outbound from processes on the local system.
  5. postrouting Just prior to leaving the system, the postrouting hook makes the packet available for further processing.

The ARP address family uses only the input and output hooks.

...

Address families(nftables)

Content #

address families include

  • ip—IPv4 addresses
  • ip6—IPv6 addresses
  • inet—Both IPv4 and IPv6 addresses
  • arp—Address Resolution Protocol (ARP) addresses
  • bridge—Processing for bridged packets

When not specified, the default address family is IP.

From #

cook:nft

Content #

  • Prevent both address and port resolution

    nft list table filter -nn
    
  • Add an input chain to the filter table

    nft add chain filter input { type filter hook input priority 0 \; }
    
  • allow established and related SSH connections.

    nft add rule filter input tcp dport 22 ct state established,related accept
    

From #