On 2021-10-07, at 09:26:05 +1000, Harry STARR wrote: > [...] > And here is the nft -s list ruleset > >>> > root@y6:~ # nft -s list ruleset > table ip filter { > set bad_guys { > type ipv4_addr > size 65535 > counter > timeout 31m > } > > set black { > type ipv4_addr > size 65535 > flags interval > counter > elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 > counter packets 0 bytes 0 } > } > > set dns_black { > type ipv4_addr > size 65535 > counter > timeout 1d > elements = { 192.168.0.100 counter packets 0 bytes 0 expires > 22h58m48s84ms } > } > > chain INPUT { > type filter hook input priority filter; policy drop; > ip saddr @bad_guys counter packets 0 bytes 0 drop > ct state invalid counter packets 22 bytes 3204 drop > ct state established,related counter packets 351 bytes 28667 > accept > iifname "lo" counter packets 0 bytes 0 accept > ip saddr @black counter packets 0 bytes 0 drop > ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept > iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets > 8 bytes 2696 accept > udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 > drop > tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 > drop > udp dport 53 counter packets 0 bytes 0 accept > tcp dport 53 counter packets 0 bytes 0 accept > fib daddr type multicast counter packets 0 bytes 0 drop > add @bad_guys { ip saddr } log level debug counter packets 0 > bytes 0 drop > } > > chain FORWARD { > type filter hook forward priority filter; policy accept; > } > > chain OUTPUT { > type filter hook output priority filter; policy accept; > } > } > <<< > > NOTICE: in chain INPUT: the packet/bytes are still listed, > and in the set listings, the packet/count values and expires time is > listed.
Thanks. It seems that the `stateless` flag gets lost in some circumstances. Compare this: $ sudo nft --stateless list ruleset table ip filter { [...] chain INPUT { type filter hook input priority filter; policy drop; ip saddr @bad_guys counter packets 92 bytes 49768 drop ct state invalid counter packets 0 bytes 0 drop ct state established,related counter packets 6281 bytes 4373744 accept iifname "lo" counter packets 1 bytes 73 accept ip saddr @black counter packets 0 bytes 0 drop ip saddr 192.168.0.0/16 counter packets 142 bytes 39680 accept iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 0 bytes 0 accept udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop udp dport 53 counter packets 0 bytes 0 accept tcp dport 53 counter packets 0 bytes 0 accept fib daddr type multicast counter packets 1 bytes 73 drop add @bad_guys { ip saddr } log level debug counter packets 1 bytes 576 drop } [...] } with this: $ sudo nft --stateless list chain filter INPUT table ip filter { chain INPUT { type filter hook input priority filter; policy drop; ip saddr @bad_guys counter drop ct state invalid counter drop ct state established,related counter accept iifname "lo" counter accept ip saddr @black counter drop ip saddr 192.168.0.0/16 counter accept iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept udp dport 53 ip saddr @dns_black counter drop tcp dport 53 ip saddr @dns_black counter drop udp dport 53 counter accept tcp dport 53 counter accept fib daddr type multicast counter drop add @bad_guys { ip saddr } log level debug counter drop } } I'll send a patch upstream. J.
signature.asc
Description: PGP signature