I am trying to use nftables [v1.0.2 (Lester Gooch)] to drop SNMP packets containing the community string 'pawan'. I am trying to use the nftables payload expressions - raw payload expression to match SNMP packets containing community string public like this:
- nft add table ip filter
- nft 'add chain ip filter input { type filter hook input priority 0; policy accept; }'
- nft add rule ip filter input udp dport 161 @th,48,40 0x7077616e drop
Here @th (transport header) needs the offset and length in bits (https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression)
The SNMP community string “pawan” in the packet is represented by the hexadecimal string 0x707177616e.
To find the offset of this hexadecimal string 0x707177616e from the start of the UDP payload, we need to know where the UDP payload starts. In a typical IP packet:
The Ethernet header is 14 bytes. The IP header is usually 20 bytes but can be longer if options are used. The UDP header is 8 bytes. So, the UDP payload typically starts at byte 42 (14 + 20 + 8) of the packet.
The SNMP community string “pawan” starts at byte 48 of the packet ("\x70\x61\x77\x61\x6e"), so its offset from the start of the UDP payload is 48 - 42 = 6 bytes. Offset in bits is 6 * 8 = 48 bits
The length of the string “pawan” is 5 bytes, so the length in bits is 5 * 8 = 40 bits.
So I am using an offset of 48 and a length of 40 to match this community string in the UDP payload.
However, this does not work because internally, this is what the nftables takes it as
- nft list ruleset
table ip filter { chain input { type filter hook input priority filter; policy accept; udp dport 161 udp checksum 112 @th,64,24 0x77616e drop } }
This nft rule is not working.
I need help to understand if I am supposed to do anything differently. Any help would be really appreciated. Thanks.