On 05/02/2020 15:37, Florian Westphal wrote:
ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
Citing an example from the WIKI
nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH
connection: \" accept
there is no "ip protocol" stipulated. And neither does it throw an error and
it works as expected (described in the WIKI)
Why would there?
tcp dport eq 22
ct state eq new
log prefix \"New SSH ...\"
accept
See?
4 statements, first two statements are equality tests,
3rd statement is log, 4th is the verdict.
Trying something similar in the inet table
nft add rule inet filter input tcp log
throws
Error: syntax error, unexpected log
Of course, because this is not similar at all.
This is
tcp
log
"tcp" isn't a statement. What should it mean?
Well, it was supposed to mean to log tcp traffic without being specific
on the header fields.
It dawns to me (belatedly) however that it either needs to be stipulated
as layer protocol (preceding) or else to be expanded (trailing) with a
header field match in order to be considered a valid statement for the
nft parser. Suppose been trying to keep the code as light/shorthand as
possible.
Thanks for the input/pointer.
Not directly related to the subject but curious about concentrating log
flags, level and prefix, is this valid syntax (within context of course):
log flags all level debug prefix
or does it require
log flags all log level debug log prefix
* nft add rule inet filter input ip protocol tcp log
* nft add rule inet filter input ip6 nexthdr icmpv6 log
neither throws an error. Hope that makes it clear.
Why would it? Its valid.
ip protocol == tcp
log
ip6 nexthdr == icmpv6
log
both are two valid statements.
It might help if you would explain what you are trying to do.
