From: Florian Westphal <fw@strlen.de>
To: ѽ҉ᶬḳ℠ <vtol@gmx.net>
Cc: Florian Westphal <fw@strlen.de>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: [nftables v0.9.2 | kernel 4.19.93] logging protocols in inet family table require explicit protocol statement?
Date: Wed, 5 Feb 2020 16:37:34 +0100 [thread overview]
Message-ID: <20200205153734.GI26952@breakpoint.cc> (raw)
In-Reply-To: <6a254067-bad5-4a72-25f3-a14ded823097@gmx.net>
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Citing an example from the WIKI
>
> nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH
> connection: \" accept
>
> there is no "ip protocol" stipulated. And neither does it throw an error and
> it works as expected (described in the WIKI)
Why would there?
tcp dport eq 22
ct state eq new
log prefix \"New SSH ...\"
accept
See?
4 statements, first two statements are equality tests,
3rd statement is log, 4th is the verdict.
> Trying something similar in the inet table
>
> nft add rule inet filter input tcp log
>
> throws
>
> Error: syntax error, unexpected log
Of course, because this is not similar at all.
This is
tcp
log
"tcp" isn't a statement. What should it mean?
> * nft add rule inet filter input ip protocol tcp log
> * nft add rule inet filter input ip6 nexthdr icmpv6 log
>
> neither throws an error. Hope that makes it clear.
Why would it? Its valid.
ip protocol == tcp
log
ip6 nexthdr == icmpv6
log
both are two valid statements.
It might help if you would explain what you are trying to do.
next prev parent reply other threads:[~2020-02-05 15:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 14:14 [nftables v0.9.2 | kernel 4.19.93] logging protocols in inet family table require explicit protocol statement? ѽ҉ᶬḳ℠
2020-02-05 14:29 ` Florian Westphal
2020-02-05 14:45 ` ѽ҉ᶬḳ℠
2020-02-05 14:48 ` Florian Westphal
2020-02-05 15:01 ` ѽ҉ᶬḳ℠
2020-02-05 15:37 ` Florian Westphal [this message]
2020-02-05 16:13 ` ѽ҉ᶬḳ℠
2020-02-05 16:21 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200205153734.GI26952@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
--cc=vtol@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.