Greetings,
I have the following rules:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
ct state vmap { invalid : drop, established : accept,
related : accept }
tcp dport { 1812, 1813 } meta protocol vmap { ip :
jump radius_ipv4, ip6 : jump radius_ipv6 }
}
# contrived chains...
chain radius_ipv4 {
ip saddr { 127.0.0.0/8, } accept
}
chain radius_ipv6 {
ip6 saddr { ::1 } accept
}
}
I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
dport { 1812, 1813 }", but I'm getting the error:
Error: syntax error, unexpected dport
Nov 18 18:14:52 localhost nft[5816]: { tcp, udp } dport { 1812, 1813 }
meta protocol vmap {
I see in the man page under the "RAW PAYLOAD EXPRESSION" there exists
the idea of giving a list or protocols...
Matching destination port of both UDP and TCP.
inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
The above can also be written as
inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
Is what I'm trying to do solvable with meta and vmap in one rule, or
should I just create two meta vmap rules?
Thanks for helping me learn and use nftables.
Cheers,
-m
