Questions[nftables](server)

I have

table ip nat {
    chain Redirect_to_local {
            limit rate 3/minute burst 10 packets log prefix "[nft.ip.dnat.8080]: "
            redirect to :8080
    }
    chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname != { "lo", "ISP*" } fib daddr type != { local, multicast, broadcast } udp dport == 8000 counter jump Redirect_to_local
    }
}

and it's incorrect because transport protocol mapping is only valid after transport protocol match. But why? It DID match, but not directly there.

If I add udp dport == 8000 before redirect it will be accepted as correct, despite duplication of rule (which is annoying).

Is there a way to overcome this? Or did I misunderstand this?

It is not clear to me from the manual if this commands are equal in their function:

meta skuid == "root" counter accept
skuid 0 counter accept

also

ct state == { established,  related } counter accept
ct state established,related counter accept

My questions about syntax is:

1. can I skip word meta (seems it must be skipped when item used in log flags)?
2. can I add == sign in any command that match something (for readability)?
3. can I write list (set of items) as item1,item2 and not { item1, item2 } or it's only for ct command?

With the following setup:

#!/usr/sbin/nft -f
add table ip filter
add chain ip filter input { type filter hook input priority 0; }
add set   ip filter nat-group-1 { type ipv4_addr; }
add set   ip filter nat-group-2 { type ipv4_addr; }
add set   ip filter nat-group-3 { type ipv4_addr; }
add set   ip filter nat-group-4 { type ipv4_addr; }
add set   ip filter nat-group-5 { type ipv4_addr; }
add rule  ip filter input ip saddr @nat-group-1 tcp dport 22 drop
add table ip nat
add chain ip nat postrouting {type nat hook postrouting priority srcnat; policy accept; }
add rule  ip nat postrouting ip saddr @nat-group-1 snat to 192.168.1.0/24 persistent
add rule  ip nat postrouting ip saddr @nat-group-2 snat to 192.168.2.0/24 persistent

I get the error message

Error: No such file or directory; did you mean set ‘nat-group-1’ in table ip ‘filter’?

I do not know how to reference a set from another table. Is this possible? Suspect one can get around this issue by duplicating the set in the two tables, but the error message makes me hopeful that there is some syntax that I'm not aware of.

I will be referencing the set in both tables.

I'm setting up a server with coturn using only STUN (TURN is disabled). It seems that STUN UDP can be used for DDoS, so I'm trying to set nftables rules to make it harder, but the rules don't seem to always work. Sometimes, I can see something like this using tcpdump:

21:16:08.006842 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.007091 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.258386 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.258613 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.278988 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.279229 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.475423 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.475734 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.481217 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.481416 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.484939 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.485211 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.490332 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.490545 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.505617 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.505901 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.529745 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.530020 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72
21:16:08.819766 IP 5.39.71.183.25565 > A.B.C.D.3478: UDP, length 20
21:16:08.820048 IP A.B.C.D.3478 > 5.39.71.183.25565: UDP, length 72

Which is above the 3/second limit specified on nft. The nft rules are:

#!/usr/sbin/nft -f
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        ct state vmap { established : accept, related : accept, invalid : drop }

        iifname lo accept

        tcp dport 1935 ct state new log prefix "[RTMP]: " accept
        tcp dport 443 ct state new log prefix "[HTTPS]: " accept
        tcp dport 3478 ct state new log prefix "[STUN TCP]: " limit rate 5/second accept
        tcp dport 5349 ct state new log prefix "[STUN TLS]: " limit rate 5/second accept
        ########################################################################
        ####### These two rules are where it is not behaving as intended #######
        udp dport 3478 log prefix "[STUN UDP]: " limit rate 3/second accept
        udp dport 3478 log prefix "[STUN UDP THIS RULE]: " limit rate over 3/second drop
        ########################################################################
        ip saddr E.F.G.H ct state new log prefix "[Some server that is allowed]: " accept
        udp dport 5060 ct state new log prefix "[SIP UDP]: " accept
        tcp dport 5060 ct state new log prefix "[SIP TCP]: " accept
        tcp dport 5061 ct state new log prefix "[SIP TLS]: " accept
        udp dport { 5000-31000 } ct state new log prefix "[RTP]: " accept
        ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport { 67, 68 } ct state new drop

    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

There are some additional rules because there are some other services running, but I faced this problem even when the other services using the other ports were stopped.

The strangest thing to me is that there is only one mention about these packets on dmesg:

[4151543.207466] [STUN UDP]: IN=eth0 OUT= MAC=00:00:00:00:00:00:d4:c1:9e:0b:4d:c0:08:00 SRC=5.39.71.183 DST=A.B.C.D LEN=48 TOS=0x00 PREC=0x00 TTL=241 ID=31022 PROTO=UDP SPT=25565 DPT=3478 LEN=28

It's very likely I'm not understanding something, either about nftables, STUN, both or something else. The questions:

1. Is the order of the rules wrong? Like, the STUN UDP rules should be before the ct state vmap line?

2. With the nftables rule setting the 3/second limit, with no consideration about the state of the packet, shouldn't it be processed on every packet received on port 3478?

Or maybe it's something else I have not identified that is making the nftables limit not be applied.

System information:

OS: Debian 11
coturn version: 4.5.2-3 from the Debian repository.
nftables version: v0.9.8 (E.D.S.) from the Debian repository.

With iptables I can change the for example INPUT policy with iptables -P INPUT DROP to drop. Is there any option to do the same with nft?

Editing /etc/nftables.conf would work of course but that is not what I want.