Thank you for the instant feedback!
I was trying to concatenate { udp, tcp } but that does not seem to work,
or this something only available from 0.8.3 onward?
add rule bridge filter input { tcp, udp } dport 53 accept
add rule bridge filter input meta protocol { tcp, udp } dport 53 accept
add rule bridge filter input meta nfproto { tcp, udp } dport 53 accept
add rule bridge filter input inet_proto { tcp, udp } dport 53 accept
add rule bridge filter input type inet_proto { tcp, udp } dport 53 accept
Bridge filtering is then on OSI model level 4 compared to Netdev on OSI
level 2 or is Bridge filtering relying entirely on the TCP/IP model
layers? That does not seem really/very clear in the NFT wiki/man pages.
On 6/19/2018 10:04 AM, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
>> nft 0.8.2
>>
>> since I am struggling a bit with the syntax for l4proto bridge filtering
>> I would hope someone could point me in the right direction. Perhaps I am
>> suffering a misconception about level 4 filtering - is bridge filtering
>> at level 2, similar like netdev and thus not working with transport
>> headers at level 2?
> It works just fine.
>
>> nft add rule bridge filter input meta l4proto { tcp, udp } @th,16,16 53
>> accept
>>
>> is producing
>>
>> Error: conflicting protocols specified: inet-service vs. unknown
>> add rule bridge filter input meta l4proto { tcp, udp } @th,16,16 53 accept
> It works with 0.8.3 onwards.
> You can use
> add rule bridge filter input tcp dport 53 accept
> add rule bridge filter input udp dport 53 accept
>
>> Neither the nft wiki nor man pages explaining/expanding on @th,16,16 -
>> is it a hard coded set - indicated by @? th is likely abbreviating
>> transport header? What about 16,16?
> Its a "raw payload protocol expression".
> It asks to load 16 bits of the transport header at offset 16.
> For udp and tcp this contains the destination port.
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
