Hey Pablo...
On Fri, Nov 19, 2021 at 3:02 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Thu, Nov 18, 2021 at 06:44:22PM -0600, Matt Zagrabelny wrote:
> > Greetings,
> >
> > I have the following rules:
> >
> > table inet filter {
> > chain input {
> > type filter hook input priority 0; policy drop;
> > ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
> > nd-neighbor-solicit, nd-neighbor-advert } accept
>
> Replace 'ip6 nexthdr ipv6-icmp icmpv6 type' by 'icmpv6 type' is just fine.
> Please have a look at this, there is a note specifically on matching
> icmpv6 traffic:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
Thanks for the tip. I'll submit a bug to the Debian package to get the
documentation updated to reflect the above.
>
> > ct state vmap { invalid : drop, established : accept,
> > related : accept }
> > tcp dport { 1812, 1813 } meta protocol vmap { ip :
> > jump radius_ipv4, ip6 : jump radius_ipv6 }
> > }
> >
> > # contrived chains...
> > chain radius_ipv4 {
> > ip saddr { 127.0.0.0/8, } accept
> > }
> >
> > chain radius_ipv6 {
> > ip6 saddr { ::1 } accept
> > }
> > }
> >
> > I'd like to change the "tcp dport { 1812, 1813 }" to "{ tcp, udp }
> > dport { 1812, 1813 }", but I'm getting the error [...]
>
> Use:
>
> ... meta l4proto { tcp, udp } th dport { 1812, 1813 }
Makes sense. Thanks again for the help!
-m
