Patrick McHardy wrote:
> Examples
The rule snippets under tests/ pretty much all use obsolete syntax,
so I'm attaching a test script (which doesn't make much sense, just
testing features) so people can get a feeling for the syntax.
#! /home/kaber/src/nf/nft/nftables/src/nft -nf
#include "ipv4-filter"
flush table filter
delete table filter
table filter {
chain log_drop {
counter log prefix "drop" drop
}
chain log_accept {
counter log prefix "accept" accept
}
chain accept_related {
counter
tcp dport < 1024 counter log prefix "drop-related" drop
udp dport < 1024 counter log prefix "drop-related" drop
ct helper "sip" counter log prefix "accept-related-sip" accept
ct helper "ftp" counter log prefix "accept-related-ftp" accept
ct helper "irc" counter log prefix "accept-related-irc" accept
counter log prefix "accept-related" accept
}
chain accept_stateful {
counter
ct state vmap { established => accept, related => jump accept_related }
counter
}
chain input_local {
counter
jump accept_stateful
jump log_accept
}
chain output_local {
counter
jump accept_stateful
udp dport { 123, 631, 514} accept
jump log_accept
}
chain input {
hook NF_INET_LOCAL_IN 0
counter
meta iif vmap { \
"eth0" => jump input_local, \
"eth1" => jump input_local, \
* => continue, \
}
counter
}
chain test1 {
counter
}
chain output {
hook NF_INET_LOCAL_OUT 0
counter
meta oif vmap { \
"eth0" => jump output_local, \
"eth1" => jump output_local, \
* => continue, \
} counter
meta oif { \
"eth0", \
"eth1", \
} counter
ip daddr vmap { \
192.168.0.1 => jump test1, \
* => continue, \
} counter
}
}
