ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote: > Citing an example from the WIKI > > nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH > connection: \" accept > > there is no "ip protocol" stipulated. And neither does it throw an error and > it works as expected (described in the WIKI) Why would there? tcp dport eq 22 ct state eq new log prefix \"New SSH ...\" accept See? 4 statements, first two statements are equality tests, 3rd statement is log, 4th is the verdict. > Trying something similar in the inet table > > nft add rule inet filter input tcp log > > throws > > Error: syntax error, unexpected log Of course, because this is not similar at all. This is tcp log "tcp" isn't a statement. What should it mean? > * nft add rule inet filter input ip protocol tcp log > * nft add rule inet filter input ip6 nexthdr icmpv6 log > > neither throws an error. Hope that makes it clear. Why would it? Its valid. ip protocol == tcp log ip6 nexthdr == icmpv6 log both are two valid statements. It might help if you would explain what you are trying to do.
