ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
> nft 0.8.2
>
> since I am struggling a bit with the syntax for l4proto bridge filtering
> I would hope someone could point me in the right direction. Perhaps I am
> suffering a misconception about level 4 filtering - is bridge filtering
> at level 2, similar like netdev and thus not working with transport
> headers at level 2?
It works just fine.
> nft add rule bridge filter input meta l4proto { tcp, udp } @th,16,16 53
> accept
>
> is producing
>
> Error: conflicting protocols specified: inet-service vs. unknown
> add rule bridge filter input meta l4proto { tcp, udp } @th,16,16 53 accept
It works with 0.8.3 onwards.
You can use
add rule bridge filter input tcp dport 53 accept
add rule bridge filter input udp dport 53 accept
> Neither the nft wiki nor man pages explaining/expanding on @th,16,16 -
> is it a hard coded set - indicated by @? th is likely abbreviating
> transport header? What about 16,16?
Its a "raw payload protocol expression".
It asks to load 16 bits of the transport header at offset 16.
For udp and tcp this contains the destination port.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
