> iifname can be used in sets starting with 0.8.3 version.
> You can use 'iif' instead to check by interface index number which will
> be fine if the interfaces are not dynamic (like ppp for instance).
>
So |iif| can be used in sets in 0.8.2, is my understanding correct? But
then I do not see how with the sets type strings available |ipv4_addr,
ipv6_addr, ether_addr, inet_proto, inet_service, mark|.
Say I wan to construct this set
set lan {
type iif
elements = { lo, br0, br1 , br2, br3 }
}
and sub subsequent rule with |meta iif ne @lan|
>> but |meta iifname ne br*| is throwing this
>> "Error: Could not process rule: Device or resource busy".
> Thats strange, this works fine for me even when I downgrade to 0.8.2.
> Its expected to work.
Cannot get it to work, error shows up every time when trying |nft add
inet filter input meta iifname ne br* ct state new meter global-meter {
ip saddr limit rate 100/second burst 25 packets } continue| to
the exiting rule set:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept # handle 4
ct state invalid drop # handle 5
iif "lo" accept # handle 6
iifname "br*" tcp dport domain accept # handle 7
iifname "br*" udp dport domain accept # handle 8
iifname "br*" tcp dport bootps accept # handle 9
iifname "br*" udp dport bootps accept # handle 10
iifname != "lo" ct state new meter global-meter { ip
saddr limit rate 100/second burst 25 packets} continue # handle 14
iifname != "lo" tcp dport 56009 ct state new meter
ssh-meter { ip saddr limit rate 10/minute} accept # handle 15
udp dport 61023 ct state new meter ovpn-meter { ip saddr
limit rate 10/hour burst 7 packets} continue # handle 16
}
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
