现在有以下规则:
table inet filter2 { # handle 39
set iplist4 { # handle 3
type ipv4_addr
}
set iplist6 { # handle 4
type ipv6_addr
}
chain filter { # handle 12
type filter hook input priority filter + 1; policy accept;
ip saddr @iplist4 accept # handle 13
ip6 saddr @iplist6 accept # handle 14
drop # handle 16
}
}
table ip default_filter { # handle 42
chain filter { # handle 4
type filter hook input priority filter; policy accept;
tcp dport 8092 accept # handle 5
}
}
若是按上面设置,则无法访问 TCP 8092 端口,去掉 filter2 == filter == drop 规则后,TCP 8092 端口访问正常
请教:priority 设置优先级且数字越小优先级越高,而按照我的设置则无法屏蔽所有端口(除 TCP 8092 外),请问我哪里设置错了
1
24owls 2022-03-30 20:18:03 +08:00
nft(8) -> STATEMENTS -> VERDICT STATEMENT -> accept
Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline. 注意最后一小句 |
2
plko345 2022-03-30 21:21:52 +08:00 via Android
nftables 好用吗?学了些,一直没用,还在用 iptables
|
3
yaott2020 OP 那如何终止匹配后面的呢
|
5
24owls 2022-03-30 21:59:59 +08:00
> 那如何终止匹配后面的呢
没什么特别好的办法,要么把它们放到或连到同一个 base chain 上,要么先在低优先级 chain 上做个 mark 再在高优先级上根据 mark 价格特殊情况 |
7
yaott2020 OP 好心累,还是不行
``` table inet default { # handle 47 chain filter { # handle 1 type filter hook input priority filter; policy accept; tcp dport 8092 meta mark set 0x000000fb # handle 4 } } table inet SafeFortress { # handle 49 set iplist4 { # handle 2 type ipv4_addr flags interval } set iplist6 { # handle 3 type ipv6_addr flags interval } chain filter { # handle 1 type filter hook input priority filter + 1; policy accept; meta mark 0x000000fb return # handle 4 ip saddr @iplist4 accept # handle 5 ip6 saddr @iplist6 accept # handle 6 drop # handle 7 } } ``` |
8
24owls 2022-03-30 22:55:04 +08:00
@yaott2020 你上面的配置还有一个更大的问题,这条规则 inet SafeFortress filter drop # handle 7 同时还把对端的 TCP packet 给 drop 了
你还得要么把对端 IP 加到允许的 IP 列表,要么允许 tcp sport 8092 通过,要么允许 ct state { established, related } 通过 |
9
yaott2020 OP 放弃了。。。还是 iptables 好用
|