On Fri, 24 Nov 2023 14:57:09 +0000
Edward Dickson <edickson@xxxxxxxxxxxxxxxxxx> wrote:
> Hello,
>
> I am running nftables v0.9.8 and am aiming to create a single
> rejection rule which specifies multiple rejection types for different
> protocols.
>
> Something like: "reject with tcp reset with icmpx type admin-prohibited".
>
> However when I've tried this, nftables throws an error:
> Error: syntax error, unexpected with, expecting end of file or newline
> or semicolon
> add rule inet filter output reject with tcp reset with icmpx type
> admin-prohibited
>
> ^^^^ (under the second with)
>
> Error: Statement after terminal statement has no effect
> add rule inet filter output reject with tcp reset reject with icmpx
> type admin-prohibited
> ~~~~~~ (under first reject)
> ^^^^^^ (under the second reject)
>
>
> I am currently using two rules which covers TCP, ICMP and anything
> else, but would be better as a single rule:
> add rule inet filter output meta l4proto tcp reject with tcp reset
> add rule inet filter output reject with icmpx type admin-prohibited
>
> But this would be better as a single rule, as the duplicate similar
> rules create complexity and duplication.
>
> Is there a way to specify multiple rejection types in a single nftables rule?
A chain would handle this perfectly adequately.
chain prohibit {
meta l4proto tcp reject with tcp reset
meta l4proto udp reject
reject with icmpx type admin-prohibited
}
Then, simply employ "goto prohibit" as a target in your rules.
--
Kerin Millar
