> [..]
>> table inet portknock {
>> set port2 {
>> type inet_service
> [..]
>
>> set candidates {
>> type ipv4_addr . inet_service
>> flags timeout
>> }
>
> [..]
>> tcp dport 12345 add @candidates {ip saddr . @port2 timeout 10s}
>
> What is that supposed to do?
It's supposed to add the ip saddr and the dynamically added port from set port2 to set candidates.
>
> @candidate expects ip address + port.
Well port2 is defined as inet_service so that would match wouldn't it?
>
>> So my question is is this even supposed to work or not? If not then maybe somebody could tell me why and if it is supposed to work why doesn't it?
>
> Its not possible to add a set to a set, if thats what you are asking.
So you can only add a number or a port description to an inet_service set but not a set which contains an inet_service, I understand.
>
> I suspect you already found
> https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example ?
Yes my version is a modifified example of the first one.
>
