Dear all, I have some problems, that might well be due to my lack of understanding nftables: My rules look like this: table filter { chain input { type filter hook input priority 0; icmp type { echo-request } limit rate 5/second counter accept } } table ip6 filter { chain input { type filter hook input priority 0; icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } ip6 hoplimit 255 counter log prefix "log1: " accept icmpv6 type { echo-request } limit rate 5/second counter accept } } table inet filter { chain input { type filter hook input priority 1; ct state { established, related } accept ct state invalid counter log prefix "log2: " drop iif lo accept # udp sport bootps dport bootpc accept counter log prefix "log3: " drop } chain output { type filter hook output priority 1; ct state { new, established, related } accept ct state invalid counter log prefix "log4: " drop oif lo accept } } What I observe when I load these rules is that the accept in the log1 line is not enough to accept the packets. They are ultimately dropped in the log3 rule. How do I get the packets through both rule chains? The second problem is in the # udp sport bootps dport bootpc accept line. I've seen examples with this syntax, but it's not accepted for me. What is the correct syntax to filter on both dport and sport? I've tried using and or &, but that didn't work either. And finally: Is there a way to match the destination mac address of an incoming packet? I'm running nftables 0.2 on kernel 3.14.4. Best, Michael -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html