Building rules through expressions

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

nftables provides the following built-in operations:

eq which stands for equal. Alternatively you can use ==.
ne which stands for not equal. Alternatively you can use !=.
lt which stands for less than. Alternatively you can use <.
gt which stands for greater than. Alternatively you can use >.
le which stands for less than or equal to. Alternatively you can use <=.
ge which stands for greater than or equal to. Alternatively you can use >=.

Beware: if you use the symbols < and > from the shell since it will interpret those as the standard input and output redirection respectively. You will need to escape them, eg. \<.

The following example shows how to match all incoming traffic not coming to port TCP/22.

nft add rule filter input tcp dport != 22

Similarly, you can also match traffic coming to high ports with the following command:

nft add rule filter input tcp dport >= 1024

Building rules through expressions

Navigation menu

Search