On 2022-09-07 10:39, Pablo Neira Ayuso wrote:
Please, don't use "ip6 nexthdr", this strictly means "check for the
IPv6 nexthdr field of the IPv6 header", which is not what you might
need. See:
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
Instead, use "meta l4proto" which already parses the IPv6 extension
headers up to the layer 4 header.
OK thanks. WillCo.
Better use concatenations and sets:
table ip6 x {
set y {
typeof ip6 daddr . meta l4proto
limit rate 5/second
elements = { aaaa:43:a:83::5 . icmpv6 limit rate 5/second,
aaaa:43:a:83::6 . icmpv6 limit rate 5/second }
}
chain m {
type filter hook prerouting priority filter; policy drop;
ip6 daddr . meta l4proto @y accept
}
}
Worked like a charm. Thanks again.
Probably, nft -o/--optimize might offer more of these transformations
in the future.
Good to know!
