Building rules through expressions
nftables provides the following built-in operations:
- ne which stands for non equal. Alternatively you can use !=.
- lt means less than. Alternatively you can use <.
- gt means greater than. Alternatively you can use >.
- le means less than or equal to. Alternatively you can use <=.
- ge means greater than or equal to. Alternatively you can use >=.
Beware: if you use the symbols < and > from the shell since it will interpret those as the standard input and output redirection respectively. You will need to escape them, eg. \<.
The following example shows how to match all incoming traffic not coming to port TCP/22.
nft add rule filter input tcp dport != 22
Similarly, you can also match traffic coming to high ports with the following command:
nft add rule filter input tcp dport >= 1024