Jan Engelhardt <jengelh@xxxxxxx> wrote:
> >> add rule ip raw-set peerblock ip daddr @some_set tcp dport vmap { 80:accept, 443:accept } counter drop
> >>
> >> Which in mind would be: allow 80 and 443, and block the rest.
> >> But that actually doesn't work, I mean it doesn't block the rest.
> >>
> >> Also, does "counter" work with vmap because I see "0" all the time?
>
> Conceptually, the use of a _verdict_ map looks wrong - the traditional
> --sport option is not introducing any terminating verdict, but an expression
> {port==80 || port==443}. I'd expect nf syntax to be more like
> tcp dport none-of/any-of { 80 443 } drop.
Yes, this is because of lack of context. Here are saner examples:
ip protocol { tcp: jump tcp_tests,
udp: jump udp_tests } jump other
Right now 'jump other' is unreachable -- i consider that a bug.
