Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > $ iptables-nft-save > > -A INPUT -p tcp -m tcp --sport 12345 > > -A INPUT -p tcp -m tcp --sport 12345 --dport 6789 > > -A INPUT -p tcp -m tcp --sport 0:1023 > > -A INPUT -p tcp -m tcp --dport 1024:65535 > > You can probably use the range expression, it has been there already > for quite some time and it is slightly more efficient than two cmp > expressions. nft still uses cmp for ranges for backward compatibility > reasons (range support is available since 4.9 and -stable 4.4 enters > EOL next month apparently), it only uses range for tcp dport != 0-1023. Thanks for the hint, this was broken indeed, I reworked this to handle exsiting range handling via two cmp expressions. range sounds good, will add support for it too. > > This would allow to extend iptables-nft to prefer > > native payload expressions for --sport,dport in the future. > > Using the native payload for transport in the near future sounds a > good idea to me. Great, I will work on this once the reverse translation is working.
