Hi Merlin, Duncan, On Wed, Feb 07, 2018 at 11:32:51AM +1100, Duncan Roe wrote: > On Tue, Feb 06, 2018 at 05:28:09PM +0100, Merlin Büge wrote: > > Hey all, > > > > I'm playing around with nftables and wonder how I could filter e.g. > > only ipv6 SSH traffic in an inet table? > > > > I've set up a basic inet filter table with the three chains input, > > forward and output. > > > > When I then do: > > > > "nft add rule inet filter input ip6 nexthdr tcp tcp dport ssh drop" > > > > ... "nft list ruleset" is showing my only "tcp dport ssh drop", so it > > seems the ipv6 bit got missed. I also tried: > > > > "nft add rule inet filter input meta nfproto ipv6 tcp dport ssh drop" > > > > ... but it yields to the same output. > > > > What am I doing wrong here? > > > > Note that I'm not wanting to actually drop IPv6 SSH traffic, I'm just > > trying to get used to nftables :) > > > > I'm using nftables v0.8.2 on an up-to-date archlinux. > > > > Any pointer appreciated! > > > > Thanks! > > -- > > Merlin Büge <toni@xxxxxxxxxxxx> > > Hi Merlin, > > Could you possibly post all of the output from nft list ruleset? > > That would give us some context around the one-liner, We need to keep ip6 nexthdr around, since this is implicitly restricting to match only IPv6 in the inet chain, where we can see IPv4 and IPv6 traffic. Looking into this. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
