+++ /dev/null
-#! nft -f
-#
-add table ip filter
-add chain ip filter output { type filter hook output priority 0 ; }
-
-add chain ip filter chain1
-add rule ip filter chain1 counter
-
-add chain ip filter chain2
-add rule ip filter chain2 counter
-
-# must succeed: expr { expr, ... }
-add rule ip filter OUTPUT tcp dport { \
- 22, \
- 23, \
-}
-
-# must fail: expr { type1, type2, ... }
-add rule ip filter OUTPUT tcp dport { \
- 22, \
- 192.168.0.1, \
-}
-
-# must succeed: expr { expr : verdict, ... }
-add rule ip filter OUTPUT tcp dport vmap { \
- 22 : jump chain1, \
- 23 : jump chain2, \
-}
-
-# must fail: expr { expr : verdict, expr : expr, ... }
-add rule ip filter OUTPUT tcp dport vmap { \
- 22 : jump chain1, \
- 23 : 0x100, \
-}
-
-# must fail: expr { expr : expr, ...}
-add rule ip filter OUTPUT tcp dport vmap { \
- 22 : 0x100, \
- 23 : 0x200, \
-}
-
-# must succeed: expr MAP { expr : expr, ... } expr
-add rule ip filter OUTPUT meta mark set tcp dport map { \
- 22 : 1, \
- 23 : 2, \
-}
-
-# must fail: expr MAP { expr : type1, expr : type2, .. } expr
-add rule ip filter OUTPUT meta mark set tcp dport map { \
- 22 : 1, \
- 23 : 192.168.0.1, \
-}
+++ /dev/null
-#! nft -f
-
-# mixed syntactical and non-syntactical errors
-filter {
-filter input
-filter input tcp
-filter input tcp dport
-filter input tcp dport tcp
-filter input tcp dport tcp dport
+++ /dev/null
-#! nft -f
-
-# mixed syntactical and non-syntactical errors in blocks
-table filter {
- # missing identifier
- chain
-
- # missing chain block
- chain output
-
- chain output {
- tcp
- tcp dport
- tcp dport tcp
- tcp dport tcp dport
- tcp dport ssh
- }
-}
+++ /dev/null
-#! nft -f
-
-# Concat element mismatch
-add rule ip filter output ip daddr . tcp sport . tcp dport { \
- 192.168.0.1 . 22, \
- 192.168.0.1 . 80, \
-}
-
-# Concat type mismatch
-add rule ip filter output ip daddr . tcp dport { \
- 192.168.0.1 . 192.168.0.2, \
- 192.168.0.1 . 192.168.0.3, \
-}
-
-# Concat expression
-add rule ip filter output ip daddr . tcp dport { \
- 192.168.0.1 . 22, \
- 192.168.0.1 . 80, \
-}
+++ /dev/null
-#! nft -f
-
-add table ip filter
-add chain ip filter output { type filter hook output priority 0 ; }
-
-# ct: state
-add rule ip filter output ct state new,established counter
-
-# ct: direction original/reply
-add rule ip filter output ct direction original counter
-add rule ip filter output ct direction reply counter
-
-# ct: status
-add rule ip filter output ct status expected counter
-
-# ct: mark
-add rule ip filter output ct mark 0 counter
-
-# ct: secmark
-add rule ip filter output ct secmark 0 counter
-
-# ct: expiration
-add rule ip filter output ct expiration 30 counter
-
-# ct: helper ftp
-add rule ip filter output ct helper "ftp" counter
+++ /dev/null
-#! nft -f
-
-add table ip filter
-add chain ip filter output { type filter hook output priority 0 ; }
-
-# meta: skb len
-add rule ip filter output meta length 1000 counter
-
-# meta: skb protocol
-add rule ip filter output meta protocol 0x0800 counter
-
-# meta: skb mark
-add rule ip filter output meta mark 0 counter
-
-# meta: skb iif
-add rule ip filter output meta iif lo counter
-
-# meta: skb iifname
-add rule ip filter output meta iifname "eth0" counter
-
-# meta: skb oif
-add rule ip filter output meta oif lo counter
-
-# meta: skb oifname
-add rule ip filter output meta oifname "eth0" counter
-
-# meta: skb sk uid
-add rule ip filter output meta skuid 1000 counter
-
-# meta: skb sk gid
-add rule ip filter output meta skgid 1000 counter
-
-# meta: nftrace
-add rule ip filter output meta nftrace 1 counter
-
-# meta: rtclassid (see /etc/iproute2/rt_realms)
-add rule ip filter output meta rtclassid cosmos counter
-
-# meta: secmark
-add rule ip filter output meta secmark 0 counter
+++ /dev/null
-#! nft -f
-
-add table bridge filter
-add chain bridge filter output { type filter hook output priority 0 ; }
-
-# LL protocol
-add rule bridge filter output eth type 0x0800 counter
-
-# IP address
-add rule bridge filter output eth type 0x0800 ip daddr 20.0.0.2 counter
-
-# IPv6 address
-add rule bridge filter output eth type 0x86DD ip6 daddr 2001:6f8:974:3::2 counter
+++ /dev/null
-#! nft -f
-
-flush chain ip filter output
-delete chain ip filter output
-delete table filter
-
-add table ip filter
-add chain ip filter output { type filter hook input priority 0; }
-
-# IP address
-add rule ip filter output ip daddr 192.168.0.1 counter
-
-# TCP ports
-add rule ip filter output tcp dport 22 counter
+++ /dev/null
-#! nft -f
-
-add table ip6 filter
-add chain ip6 filter output { type filter hook output priority 0 ; }
-
-# IP address
-add rule ip6 filter output ip6 daddr 2001:6f8:974::1 counter
-
-# Next protocol
-add rule ip6 filter output ip6 nexthdr tcp
-
-# TCP ports
-add rule ip6 filter output tcp dport 22 counter
+++ /dev/null
-#! nft -f
-
-# adjacent payload expressions: 4 bytes in order
-add rule filter output tcp sport 1024 tcp dport 22 counter
-
-# adjacent payload expressions: 8 bytes in order
-add rule filter output ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter
-
-# adjacent payload expressions: 8 bytes in order
-add rule filter output tcp sequence 0 tcp sport 1024 tcp dport 22
-
-# adjacent payload expressions: 8 bytes in reverse order
-add rule filter output tcp sport 1024 tcp dport 22 tcp sequence 0
+++ /dev/null
-#! nft -f
-
-add table ip filter
-add chain ip filter input { type filter hook input priority 0; }
-
-# mac source
-add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter
-
-# mac dest
-add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad counter
-
-# mac source and mac dest
-add rule ip filter input @ll,0,48 00:1b:21:02:6f:ad \
- @ll,48,48 00:15:e9:f0:10:f8 \
- counter
+++ /dev/null
-add rule filter OUTPUT meta mark 123/0x000000ff
-add rule filter OUTPUT ip daddr 192.168.0.0/24
-add rule filter OUTPUT ip daddr 192.168.0.0/255.255.255.0
-add rule filter OUTPUT ip saddr . ip daddr 192.168.0.0/24 . 192.168.0.0/24
-add rule filter OUTPUT ip daddr { 192.168.0.0/24, 192.168.1.0/24}
+++ /dev/null
-#! nft -f
-
-add table ip filter
-add chain ip filter output { type filter hook output priority 0; }
-
-add rule ip filter output log saddr "prefix" group 0 counter
projects / thirdparty / nftables.git / commitdiff
