On Sunday, June 25th, 2023 at 14:04, Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > On Sun, 25 Jun 2023 14:45:21 +0800 > Michael Deegan michael@xxxxxxxxxxxx wrote: > > > Hello, > > > > (please CC me on replies, I'm not subscribed) > > > > It looks like I'm the first to attempt cutting and pasting the ruleset from > > https://wiki.nftables.org/wiki-nftables/index.php?title=Simple_ruleset_for_a_home_router, > > as it...doesn't work. :P > > > > The main problem is this line: > > > > ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept} > > > The syntax of the ruleset is valid. Please ensure that you have not inadvertently introduced a linefeed character anywhere within a given set element (immediately before or after a comma is fine). Also, please convey the error message that you are encountering. Yup, like Kerin says, works for me (I picked the 'input' chain just because it's easy). $ nft --version nftables v1.0.7 (Old Doc Yak) ~$ nft -e add rule inet fw4 input 'ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}' add rule inet fw4 input ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept } # new generation 83 by process 6770 (nft) $ nft list chain inet fw4 input table inet fw4 { chain input { type filter hook input priority filter; policy drop; ... trimmed the noise ... ip protocol . th dport vmap { tcp . 22 : accept, tcp . 53 : accept, udp . 53 : accept, udp . 67 : accept } } } To decipher the parts of the match expression, this might help (scan for "transport header"). https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers The rule is basically saying, "if the packet is IPv4, then concatenate the protocol and port from the transport header, use that as a key into the verdict map."
