Building rules through expressions

From nftables wiki
Revision as of 18:49, 13 July 2016 by Pablo (talk | contribs) (Created page with "''nftables'' provides the following built-in operations: * '''ne''' which stands for non equal. Alternatively you can use '''!='''. * '''lt''' means ''less than''. Alternativ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

nftables provides the following built-in operations:

  • ne which stands for non equal. Alternatively you can use !=.
  • lt means less than. Alternatively you can use <.
  • gt means greater than. Alternatively you can use >.
  • le means less than or equal to. Alternatively you can use <=.
  • ge means greater than or equal to. Alternatively you can use >=.

Beware: if you use the symbols < and > from the shell since it will interpret those as the standard input and output redirection respectively. You will need to escape them, eg. \<.

The following example shows how to match all incoming traffic not coming to port TCP/22.

nft add rule filter input tcp dport != 22

Similarly, you can also match traffic coming to high ports with the following command:

nft add rule filter input tcp dport >= 1024