Dear Álvaro,
thank you for your detailed answers. Some questions still remain, unfortunately.
> > icmp type { echo-request } limit rate 5/second counter accept
> ^^^^^^^^^^^^^^^^
> It's a single element, you don't need to use a set. You can use the rule
I just added the braces to be consistent throughout the ruleset.
> > What I observe when I load these rules is that the accept in the log1 line is
> > not enough to accept the packets. They are ultimately dropped in the log3
> > rule. How do I get the packets through both rule chains?
>
> Because you have a table inet and a table ip6. The table ip6 filter
> sees the ip6 traffic and the table inet filter sees the ip4 and ip6
> traffic. You have defined the priority of the first chain at 0 so
> nftables checks the rules there and after nftables checks the rules
> inside of the filter chain in inet.
>
> I suggest you to use one singles filter table like inet.
How would the rule look like? I tried to just copy it to the inet section,
but I get "Error: conflicting protocols specified: inet-service vs. icmpv6".
I created the separate ip and ip6 tables only for icmp and icmp, because I
couldn't get past this issue:
$ nft add rule inet filter input icmp type { echo-request } limit rate 5/second counter accept
<cmdline>:1:28-36: Error: conflicting protocols specified: inet-service vs. icmp
$ sudo nft add rule inet filter input icmpv6 type { echo-request } limit rate 5/second counter accept
<cmdline>:1:28-38: Error: conflicting protocols specified: inet-service vs. icmpv6
$ nft add rule ip6 filter input icmpv6 type { echo-request } limit rate 5/second counter accept
<works>
> > # udp sport bootps dport bootpc accept
>
> The rules is like that:
>
> nft add rule filter input udp sport bootps udp dport bootpc accept
OK, I overlooked the second udp. Now, it works fine.
> > And finally: Is there a way to match the destination mac address of an
> > incoming packet?
>
> You must to add a rule with ether like this:
>
> nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter
In what section would that go? When I just execute the command, I get:
"<cmdline>:1:1-59: Error: Could not process rule: No such file or directory
add rule filter input ether daddr 20:16:d8:a2:59:33 counter"
Thanks again,
Michael
.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
