Am 22.03.20 um 14:40 schrieb Darius: > Hi, > I can't find the way to make one rule matching packets with the same dport either on tcp or udp. So far I have rules like this: > > ip protocol tcp tcp dport 2000 counter accept > ip protocol udp udp dport 2000 counter accept > > I would like to have one rule instead. I couldn't find the way to do it with intervals or maps because dport statement must go together with tcp or udp. not sure for nftables but with iptables "ipset" is the solution -------------------- Name: DNS_PORT Type: bitmap:port Header: range 53-53 Size in memory: 80 Number of entries: 1 Members: 53 -------------------- 9 1333K 102M IN_DNS all -- * * 0.0.0.0/0 0.0.0.0/0 match-set DNS_PORT dst
