top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

TCP flags syntax in nftables

+1 vote
631 views

I've done some digging but really can't find a good explanation of the syntax for matching TCP flags in nftables. In iptables a rule can be written like:

-A TEST_BADFLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_BADFLAGS

How do I do the equivalent in nftables? Also are we still able to use the "ALL" and "NONE" keywords?

posted Mar 23, 2017 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+1 vote

How do i set tcp flags ? I tried

 nft add rule filter output tcp flags {syn,rst} counter

but failed ... also can some point me to valid syntaxes ..

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

0 votes

While I was looking for ways to move some firewalling functionality into user space (parse packet to decide whether to drop or accept the packet along with some reporting in the drop case), I came across iptable's NFQUEUE target, which, along with libnetfilter_queue, seems to be a perfect match for my use case.
However, parts of the doxygen documentation (at https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/modules.html )
are marked deprecated (i.e. Queue handling, Library setup, Message parsing functions, and Printing).

I may have missed it while I was searching the netfilter mailing list archives in this context, but I could not find any hint on the reason why these parts of libnetfilter_queue are deprecated (apart from nfq_set_verdict_mark() being marked as deprecated) nor did I find any hint on a replacement. Could you enlighten me here?

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

0 votes

I have a setup* in which I have a server with multiple virtual network interfaces (vif1 .. vifX) that are connected (bridged) to one virtual machine each (vm1 .. vmX) which all have the same IP and MAC (let's say 192.168.1.100 resp. 00:11:22:33:44:55). In addition to that my server also has one regular network interface (eth0) connected to the rest of my network (10.0.0.0/16).

Now I would like to be able to provide NAT-like capabilities such that every packet coming from vm1 reaches the regular network as coming from 10.0.1.1, every packet coming from vm2 as 10.0.1.2 and so on. Of course, packets coming from the network destined towards 10.0.1.x should also be correctly translated by the server such that vmX will receive them.

From what I understand I could use ebtables with the snat-target to rewrite the MAC addresses for the vifX bridges, such that the remaining network would see at least a different MAC address per VM. However, I cannot see an easy solution to rewrite the IP. Using iptables nat-table and the snat-target will not work, since I would need to also filter on the source-mac or incoming device, but the snat-target is only available on the POSTROUTING chain.

One possible to solution would be to write a small program that listens on a rawsocket on every interface, rewrites packets and re-sends them on the correct interface, but I'd rather avoid that and use standard tools instead.

I would be very grateful for ideas/tips,

...