如何在其他table nftables 中创建第二个输入链?

How right to make second input chain in other table nftables?

有我的测试 nft 规则集 ,除了 table inet test 但 table f2b-table 绝对相似(丢弃与接受除外)并且工作正常:

table inet f2b-table {
    set addr-set-sshd {
        type ipv4_addr
        elements = { 0.0.0.0 }
    }

    chain input {
        type filter hook input priority filter - 1; policy accept;
        tcp dport { 222 } ip saddr @addr-set-sshd drop
    }
}
table inet default {
    set full_op_port {
        type inet_service
        elements = { 222 }
    }

    set allowed_ips {
        type ipv4_addr
        elements = { 0.0.0.0 }
    }

    chain INPUT {
        type filter hook input priority filter; policy drop;
        ct state invalid drop
        ct state { established, related } accept
        iif "lo" accept
        tcp dport @full_op_port accept
        ip saddr @allowed_ips accept
        ip protocol icmp accept
        counter packets 17 bytes 884
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTPUT {
        type filter hook output priority filter; policy accept;
    }
}
table ip test {
    chain PREROUTING {
        type nat hook prerouting priority filter; policy accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }
}
table inet test {
    set op_port {
        type inet_service
        elements = { 8888 }
    }

    chain INPUT {
        type filter hook input priority filter - 2; policy accept;
        tcp dport @op_port accept
    }
}

我在 tcpdump 中看到了包,当我在 table table inet test[=21= 中进行 count 时我看到了包] 但包裹不被接受。我做错了什么?

answer 来自 A.B 他说:

just to clarify that a packet can be accepted (or not) multiple times in the same hook:

并从 nft 手册页

发布

accept

Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline.

你的默认 table base chain priority 0 将在你的测试后评估 table base chain priority -2 并且因为它有一个丢弃策略并且数据包在那里不匹配,它将被丢弃.

手册页对此感到困惑。它说的是允许判决“终止规则集评估并接受数据包”,它实际上只是在给定的基础链优先级上终止规则集的视图。由于优先级数较高而具有较低优先级的其他相同类型的基础链、钩子和系列在之后仍将 运行 并且可以被规则或策略覆盖。这与所有都停止并且数据包被立即丢弃的丢弃判决不同。您可以使用日志记录查看实际效果:

nft flush ruleset
nft create table ip table1
nft add chain ip table1 input1 { type filter hook input priority filter\; policy drop\; }
nft add rule ip table1 input1 tcp dport != 8888 accept
nft add rule ip table1 input1 tcp dport 8888 log prefix \"TABLE1_INPUT1 DROPPING \" level info
nft create table ip table2
nft add chain ip table2 input2 { type filter hook input priority filter - 1\; policy accept\; }
nft add rule ip table2 input2 tcp dport != 8888 accept
nft add rule ip table2 input2 tcp dport 8888 log prefix \"TABLE2_INPUT2 BEFORE \" level info
nft add rule ip table2 input2 tcp dport 8888 accept
nft add rule ip table2 input2 tcp dport 8888 log prefix \"TABLE2_INPUT2 AFTER \" level info

我在这里添加了另一个带有示例的答案,以阐明将策略与 同一系列、类型和挂钩 的多个基链混合的意外后果。尽管可以使这些优先级相同,但永远不应该。较低的优先级数字意味着较高的优先级,将是 运行 第一。错误地应用丢弃策略可能会对您打算接受的流量造成意想不到的后果。

至于混合家庭 inet 与 ip 和 ip6 的效果,我什至不会开始自以为是,只是说这可能是个坏主意。

警告:这些示例可怕地破坏了 ipv4 流量并且是在 VM 上执行的 - 买家当心!

一个糟糕的丢弃策略示例:

table inet filter {
        chain input1 {
                type filter hook input priority filter + 1; policy drop;
                tcp dport 80 log prefix "input1_" # SEEN
        }

    # input2 chain not evaluated as there is no traffic left after input1
        chain input2 {
                type filter hook input priority filter + 2; policy accept;
                tcp dport 80 accept
                tcp dport 80 log prefix "input2_"
        }
}

ok 丢弃策略示例:

table inet filter {
        chain input1 {
                type filter hook input priority filter + 1; policy accept;
                tcp dport 80 log prefix "input1_" # SEEN
        }
        chain input2 {
                type filter hook input priority filter + 2; policy drop;
                tcp dport 80 accept
                tcp dport 80 log prefix "input2_" # NOT SEEN due previous accept
        }
}

错误接受政策的示例:

table inet filter {
        chain input1 {
                type filter hook input priority filter + 1; policy accept;
                tcp dport 80 accept
                tcp dport 80 log prefix "input1_" # NOT SEEN due to previous accept
        }
        chain input2 {
                type filter hook input priority filter + 2; policy drop;
                tcp dport 80 log prefix "input2_" # SEEN - chain evaluates
        # all traffic dropped here by policy including accepted input1 traffic
        }
}

可以接受政策的示例:

table inet filter {
        chain input1 {
                type filter hook input priority filter + 1; policy accept;
                tcp dport 80 log prefix "input1_" # SEEN
        }
        chain input2 {
                type filter hook input priority filter + 2; policy drop;
                tcp dport 80 accept
                tcp dport 80 log prefix "input2_" # NOT SEEN due to previous accept
        }
}

如 nft 的手册页所述,按规则或策略进行的丢弃会立即丢弃,而无需进一步处理优先级较低的基础链。接受不。它会将当前优先级的剩余规则短路并移交给下一个优先级较低的规则,但如果没有规则可以接受,它仍然会被规则显式丢弃或被策略隐式丢弃。

也许最简单的方法是使用单个基础链和 jump/goto 非基础链,这就是 iptables 的工作方式。