[Bug 1202] Cannot match on both dport and sport in one nftables rule
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Jan 29 00:54:00 CET 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1202
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--- Comment #1 from kfm at plushkava.net ---
(In reply to jac from comment #0)
> In nftables v0.5 I could have the following rule to match on EITHER sport or
> dport in the same rule:
> tcp sport ssh tcp dport ssh counter accept
>
> In nftables v0.7 this no longer works.
As with iptables, logical disjunctions are not supported. That rule should
never have worked for the stated purpose. While "or" can be used in rules, it
works as a bitwise operator, not a logical operator. So, this is really a
feature request.
Perhaps it would be nice for maps to support a metacharacter that matches
anything. For example, imagine being able to write:
tcp sport . tcp dport vmap { ssh . * : accept, * . ssh : accept }
Whether that is technically feasible to implement, I do not know.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/7e1fa405/attachment.html>
More information about the netfilter-buglog
mailing list