>> I was trying to concatenate { udp, tcp } but that does not seem to work,
>> or this something only available from 0.8.3 onward?
> This doesn't work in any version of nftables.
> The dport keyword is only valid after "udp", "tcp", or any other protcol
> that has a notion of a "destination port".
>
> The only way to express this at the moment is the use of the raw payload
> notion, which works from 0.8.3 onwards.
>
> This is a limitation of nftables parser..
> Suggestions or patches to fix this welcome.
Unfortunately I am code illiterate and thus not in the position to
contribute a patch :-[
I had hoped to concatenate the nft rules for tcp/udp and dns/dhcp into
named sets. Are sets working with l4proto raw ?, e.g.
add table bridge filter set tuc { type inet_proto ; elements = { udp,
tcp } }
add table bridge filter set dd { type inet_proto ; elements = { 53, 67 } }
add rule bridge filter input meta l4proto @tuc @th,16,16 @dd
> You can use netdev ingress to attach a base chain to a particular bridge
> port, for instance.
something like this?
table netdev filter {
chain br0 {
type filter hook ingress device br0 priority 0; policy drop;
tcp dport 56009 accept
}
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
