On Fri, 24 Nov 2023 14:57:09 +0000 Edward Dickson <edickson@xxxxxxxxxxxxxxxxxx> wrote: > Hello, > > I am running nftables v0.9.8 and am aiming to create a single > rejection rule which specifies multiple rejection types for different > protocols. > > Something like: "reject with tcp reset with icmpx type admin-prohibited". > > However when I've tried this, nftables throws an error: > Error: syntax error, unexpected with, expecting end of file or newline > or semicolon > add rule inet filter output reject with tcp reset with icmpx type > admin-prohibited > > ^^^^ (under the second with) > > Error: Statement after terminal statement has no effect > add rule inet filter output reject with tcp reset reject with icmpx > type admin-prohibited > ~~~~~~ (under first reject) > ^^^^^^ (under the second reject) > > > I am currently using two rules which covers TCP, ICMP and anything > else, but would be better as a single rule: > add rule inet filter output meta l4proto tcp reject with tcp reset > add rule inet filter output reject with icmpx type admin-prohibited > > But this would be better as a single rule, as the duplicate similar > rules create complexity and duplication. > > Is there a way to specify multiple rejection types in a single nftables rule? A chain would handle this perfectly adequately. chain prohibit { meta l4proto tcp reject with tcp reset meta l4proto udp reject reject with icmpx type admin-prohibited } Then, simply employ "goto prohibit" as a target in your rules. -- Kerin Millar