Patrick McHardy wrote: > Examples The rule snippets under tests/ pretty much all use obsolete syntax, so I'm attaching a test script (which doesn't make much sense, just testing features) so people can get a feeling for the syntax.
#! /home/kaber/src/nf/nft/nftables/src/nft -nf #include "ipv4-filter" flush table filter delete table filter table filter { chain log_drop { counter log prefix "drop" drop } chain log_accept { counter log prefix "accept" accept } chain accept_related { counter tcp dport < 1024 counter log prefix "drop-related" drop udp dport < 1024 counter log prefix "drop-related" drop ct helper "sip" counter log prefix "accept-related-sip" accept ct helper "ftp" counter log prefix "accept-related-ftp" accept ct helper "irc" counter log prefix "accept-related-irc" accept counter log prefix "accept-related" accept } chain accept_stateful { counter ct state vmap { established => accept, related => jump accept_related } counter } chain input_local { counter jump accept_stateful jump log_accept } chain output_local { counter jump accept_stateful udp dport { 123, 631, 514} accept jump log_accept } chain input { hook NF_INET_LOCAL_IN 0 counter meta iif vmap { \ "eth0" => jump input_local, \ "eth1" => jump input_local, \ * => continue, \ } counter } chain test1 { counter } chain output { hook NF_INET_LOCAL_OUT 0 counter meta oif vmap { \ "eth0" => jump output_local, \ "eth1" => jump output_local, \ * => continue, \ } counter meta oif { \ "eth0", \ "eth1", \ } counter ip daddr vmap { \ 192.168.0.1 => jump test1, \ * => continue, \ } counter } }