Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 535.8K On-Premises Infrastructure
- 138.1K Analytics Software
- 38.6K Application Development Software
- 5.6K Cloud Platform
- 109.3K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71K Infrastructure Software
- 105.2K Integration
- 41.5K Security Software
nftables issue on uekr6 5.4.17-2036.104.5.el8uek?
Hi,
I was trying to setup a simple port knocker using nftables in Oracle Linux 8.3.
Let's use a simple example like secure port 12345/tcp and use the udp sequence 1230,2340,3450,4560 to open the protected port.
The code is as follows:
flush ruleset
table inet filter {
set whitelist { type ipv4_addr; flags timeout; }
set candidates { type ipv4_addr . inet_service; flags timeout; }
chain input {
type filter hook input priority -10; policy accept
tcp dport 12345 ip saddr @whitelist accept
tcp dport 12345 drop
}
chain raw {
type filter hook prerouting priority raw; policy accept
# HERE, see below
udp dport 1230 add @candidates {ip saddr . 2340 timeout 10s} log prefix "knock1: " return
udp dport 2340 ip saddr . udp dport @candidates add @candidates {ip saddr . 3450 timeout 10s} log prefix "knock2: " return
udp dport 3450 ip saddr . udp dport @candidates add @candidates {ip saddr . 4560 timeout 10s} log prefix "knock3: " return
udp dport 4560 ip saddr . udp dport @candidates add @whitelist {ip saddr timeout 10s} log prefix "knock4: " return
}
}
While this snippet works fine with Fedora 33 (kernel 5.10.22-200.fc33.x86_64) it never goes past "knock1:" in Oracle Linux 8.3.
Using tcp instead of udp doesn't matter.
However I can get the portknocking to work when adding one of the following lines to HERE:
udp dport 1230 ip saddr . udp dport @candidates log prefix "dummy: "udp dport {1230,2340,3450,4560} ip saddr . udp dport @candidates log prefix "dummy: "
The funny thing is, that the first line never even matches.
What doesn't work is adding one of these lines:
udp dport 1230 log prefix "dummy: "udp dport {2340,3450,4560} ip saddr . udp dport @candidates log prefix "dummy: "udp dport 6666 ip saddr . udp dport @candidates log prefix "dummy: "
Any ideas on this? As the example above is working perfectly fine in Fedora I suspect a bug in the uek.
Best Answer
-
Looks like the issue is solved with uekr6u2.
Thanks!
Answers
-
Looks like the issue is solved with uekr6u2.
Thanks!