ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
>
> > iifname can be used in sets starting with 0.8.3 version.
> > You can use 'iif' instead to check by interface index number which will
> > be fine if the interfaces are not dynamic (like ppp for instance).
> >
>
> So |iif| can be used in sets in 0.8.2, is my understanding correct?
Yes.
> But
> then I do not see how with the sets type strings available |ipv4_addr,
> ipv6_addr, ether_addr, inet_proto, inet_service, mark|.
> Say I wan to construct this set
>
> set lan {
> type iif
> elements = { lo, br0, br1 , br2, br3 }
> }
>
> and sub subsequent rule with |meta iif ne @lan|
Its same as
meta iif { lo, br0, br1, br2, br3 }
except that the 'named set' (@lan) can be added or removed to later.
> >> but |meta iifname ne br*| is throwing this
> >> "Error: Could not process rule: Device or resource busy".
> > Thats strange, this works fine for me even when I downgrade to 0.8.2.
> > Its expected to work.
> Cannot get it to work, error shows up every time when trying |nft add
> inet filter input meta iifname ne br* ct state new meter global-meter {
> ip saddr limit rate 100/second burst 25 packets } continue| to
> the exiting rule set:
>
> table inet filter {
> chain input {
> type filter hook input priority 0; policy drop;
> ct state established,related accept # handle 4
> ct state invalid drop # handle 5
> iif "lo" accept # handle 6
> iifname "br*" tcp dport domain accept # handle 7
> iifname "br*" udp dport domain accept # handle 8
> iifname "br*" tcp dport bootps accept # handle 9
> iifname "br*" udp dport bootps accept # handle 10
> iifname != "lo" ct state new meter global-meter { ip
> saddr limit rate 100/second burst 25 packets} continue # handle 14
> iifname != "lo" tcp dport 56009 ct state new meter
> ssh-meter { ip saddr limit rate 10/minute} accept # handle 15
> udp dport 61023 ct state new meter ovpn-meter { ip saddr
> limit rate 10/hour burst 7 packets} continue # handle 16
> }
The name 'global-meter' already exists, they need to be unique.
You can either try
meta iifname ne { br0, br1, br2, br3, lo } ct state new meter ..
or
meta iifname ne "lo" meta iifname ne "br*" ct state new meter ..
but lo is not needed here because your rule handle 6 already accepts all
packets coming in via loopback.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
