I have the following iptables rule that I want to convert to a nftables rule:
$ipt -A peerblock -p tcp -m multiport ! --dports 80,443 -m set --match-set some_set dst -j DROP
This rule won't block the 80 and 443 ports no matter what kind
of IP addresses are in the set. All other packets that are
destined to the IPs from the set (no matter what port) will be
dropped.
I thought I would create a similar rule in nftables, but
according to the "quick reference" page, I have only the
following options:
tcp dport 22
tcp dport != 33-45
tcp dport { 33-55 }
tcp dport {telnet, http, https }
tcp dport vmap { 22 : accept, 23 : drop }
tcp dport vmap { 25:accept, 28:drop }
There's no != 80,443 or != 80, != 443 or { !80, !433 }
or { !=80, !=433 } or !{ 80, 433 } .
So the only option I think it's suitable here is "vmap",
which would look like this:
add rule ip raw-set peerblock ip daddr @some_set tcp dport vmap { 80:accept, 443:accept }
add rule ip raw-set peerblock ip daddr @some_set counter drop
So one iptables rules becomes 2 nftables rules? Is there a way
to concatenate the nftables rules and have only one rule like
in the case of iptables?
I also tried:
add rule ip raw-set peerblock ip daddr @some_set tcp dport vmap { 80:accept, 443:accept } counter drop
Which in mind would be: allow 80 and 443, and block the rest.
But that actually doesn't work, I mean it doesn't block the rest.
Also, does "counter" work with vmap because I see "0" all the time?
Attachment:
signature.asc
Description: OpenPGP digital signature
