On Tue, 16 Apr 2024 17:47:48 -0000
"William N." <netfilter@xxxxxxxxxx> wrote:
> Hello,
>
> I am trying to "compact" the following rules:
>
> table netdev filter {
> chain ingress {
> type filter hook ingress device "eth0" priority -500;
> # ...
>
> meta protocol ip \
> tcp flags syn \
> tcp option maxseg size lt 536 \
> log prefix "TCP MSS: " \
> counter packets 0 bytes 0 \
> drop
>
> meta protocol ip6 \
> tcp flags syn \
> tcp option maxseg size lt 1220 \
> log prefix "TCP MSS: " \
> counter packets 0 bytes 0 \
> drop
> }
> }
>
> into something like:
>
> table netdev filter {
> chain ingress {
> type filter hook ingress device "eth0" priority -500;
> # ...
>
> meta protocol tcp option maxseg size map lt {
> ip : 536,
> ip6 : 1220
> } \
> tcp flags syn \
> log prefix "TCP MSS: " \
> counter packets 0 bytes 0 \
> drop
> }
> }
>
> but I am getting errors, as my syntax is obviously wrong. The first error is:
>
> Error: syntax error, unexpected size, expecting newline or semicolon
> meta protocol tcp option maxseg size map lt {
> ^^^^
>
> What is the correct syntax for this?
meta protocol . tcp option maxseg size {
ip . 0-535,
ip6 . 0-1219
} \
tcp flags syn \
log prefix "TCP MSS: " \
counter packets 0 bytes 0 \
drop
}
--
Kerin Millar
