Hi,
I was trying to setup a simple port knocker using nftables in Oracle Linux 8.3.
Let's use a simple example like secure port 12345/tcp and use the udp sequence 1230,2340,3450,4560 to open the protected port.
The code is as follows:
flush ruleset
table inet filter {
set whitelist { type ipv4_addr; flags timeout; }
set candidates { type ipv4_addr . inet_service; flags timeout; }
chain input {
type filter hook input priority -10; policy accept
tcp dport 12345 ip saddr @whitelist accept
tcp dport 12345 drop
}
chain raw {
type filter hook prerouting priority raw; policy accept
# HERE, see below
udp dport 1230 add @candidates {ip saddr . 2340 timeout 10s} log prefix "knock1: " return
udp dport 2340 ip saddr . udp dport @candidates add @candidates {ip saddr . 3450 timeout 10s} log prefix "knock2: " return
udp dport 3450 ip saddr . udp dport @candidates add @candidates {ip saddr . 4560 timeout 10s} log prefix "knock3: " return
udp dport 4560 ip saddr . udp dport @candidates add @whitelist {ip saddr timeout 10s} log prefix "knock4: " return
}
}
While this snippet works fine with Fedora 33 (kernel 5.10.22-200.fc33.x86_64) it never goes past "knock1:" in Oracle Linux 8.3.
Using tcp instead of udp doesn't matter.
However I can get the portknocking to work when adding one of the following lines to HERE:
udp dport 1230 ip saddr . udp dport @candidates log prefix "dummy: "
udp dport {1230,2340,3450,4560} ip saddr . udp dport @candidates log prefix "dummy: "
The funny thing is, that the first line never even matches.
What doesn't work is adding one of these lines:
udp dport 1230 log prefix "dummy: "
udp dport {2340,3450,4560} ip saddr . udp dport @candidates log prefix "dummy: "
udp dport 6666 ip saddr . udp dport @candidates log prefix "dummy: "
Any ideas on this? As the example above is working perfectly fine in Fedora I suspect a bug in the uek.