connection tracking state in rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

tried to create a rule using the conntrack state of a packet:

[root@sarkovy nftables]# cat ruleset-own.txt
create table netdev world
add set netdev world blacklist { type ipv4_addr; flags dynamic,timeout; timeout 1h; gc-interval 6h; size 256; } create chain netdev world ingress { type filter hook ingress device "eth_cable" priority filter; policy drop; } add rule netdev world ingress ip protocol tcp ip saddr @blacklist counter drop
add rule netdev world ingress ct state established,related counter accept
[root@sarkovy nftables]# nft -cf ruleset-own.txt
ruleset-own.txt:5:31-38: Error: Could not process rule: Protocol error
add rule netdev world ingress ct state established,related counter accept
                              ^^^^^^^^
This is rejected, but why?

And, btw., which one is correct, 'ct state established,related' or 'ct state { established,related }'?

Thomas





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux