On Tue, Nov 02, 2021 at 02:39:33PM -0500, Matt Zagrabelny wrote:
> Replying to myself...
>
> On Mon, Nov 1, 2021 at 3:46 PM Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
> >
> > Hello,
> >
> > I'd like to use the "inet" address family in a named set. I see nft
> > supports the following address families [AF] (among others):
> >
> > ip IPv4 address family.
> >
> > ip6 IPv6 address family.
> >
> > inet Internet (IPv4/IPv6) address
> > family.
>
>
> I'm not sure nftables even would allow an "inet" to be used in a rule such as:
>
> table inet filter {
> chain input {
> inet saddr { 127.0.0.1, ::1 } tcp dport 22 accept
> }
> }
>
> Instead, it seems I must do:
>
> table inet filter {
> chain input {
there is no chain definition here, this chain sees no traffic.
type filter hook input priority filter; policy drop;
is missing.
> ip saddr 127.0.0.1 tcp dport 22 accept
> ip6 saddr ::1 tcp dport 22 accept
Better split your ruleset in a tree using verdict maps:
table inet filter {
chain input_ip4 {
ip saddr 127.0.0.1 accept
}
chain input_ip6 {
ip6 saddr ::1 accept
}
chain input {
type filter hook input priority filter; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
# implicit match on 'ct state new,untracked'
tcp dport 22 meta protocol vmap { ip : jump input_ip4, ip6 : jump input_ip6 }
}
}
