ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
> > This is a limitation of nftables parser..
> > Suggestions or patches to fix this welcome.
> Unfortunately I am code illiterate and thus not in the position to
> contribute a patch :-[
>
> I had hoped to concatenate the nft rules for tcp/udp and dns/dhcp into
> named sets. Are sets working with l4proto raw ?, e.g.
> add table bridge filter set tuc { type inet_proto ; elements = { udp,
> tcp } }
> add table bridge filter set dd { type inet_proto ; elements = { 53, 67 } }
> add rule bridge filter input meta l4proto @tuc @th,16,16 @dd
Yes, should work.
> > You can use netdev ingress to attach a base chain to a particular bridge
> > port, for instance.
> something like this?
>
> table netdev filter {
> chain br0 {
> type filter hook ingress device br0 priority 0; policy drop;
> tcp dport 56009 accept
> }
> }
That evaluates "br0" for every packet making it into br0.
What I mean with "bridge port" is a device that was enslaved
to the bridge, e.g. eth0. It avoids filter overhead for devices that
do not need filtering.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
