Am 2018-06-01 um 13:18 schrieb Arturo Borrero Gonzalez:
> It works for me here:
> table ip t {
> chain c {
> icmp type echo-request limit rate over 10/second drop
> icmp type echo-request limit rate over 10/second drop
> }
> }
>
> Make sure you don't make copy & paste errors, the line split you have
> in your email led me to the exact same error message.
I tipped in every letter one by one at the
command line manually. no way.
after fiddling around I came across if I rename
my »table ip filter« into »table inet filter«
it works. still wondering I need
to use inet because I try to avoid ipv6.
BUT now var-definitions not working anymore.
just my testscript here:
% nano bastion-ruleset.nft
------------[snip]-------------------
#!/usr/sbin/nft -f
flush ruleset
include "./bastion-defines.nft"
table bridge filter {
}
table netdev filter{
include "./bastion-bridge-sets.nft"
include "./bastion-bridge-ingress.nft"
}
table ip mangle {
include "./bastion-mangle.nft"
}
table ip nat {
include "./bastion-nat-prerouting.nft"
include "./bastion-nat-input.nft"
include "./bastion-nat-output.nft"
include "./bastion-nat-postrouting.nft"
}
table inet filter {
include "./bastion-inet-filter-global.nft"
include "./bastion-inet-filter-sets.nft"
include "./bastion-inet-filter-forward.nft"
include "./bastion-inet-filter-local.nft"
}
------------[snip]-------------------
results in many lines of errors like:
Error: unknown identifier or unexpected string, expecting number
but those vars are already defined in the
file bastion-defines.nft.
nftables debugging is a nightmare.
cheers
karl
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
