From nftables wiki
Revision as of 00:36, 16 February 2021 by Fmyhr (talk | contribs) (Edited for clarity, grammar.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Intervals are expressed as value-value.

The following rule drops incoming traffic addressed to the IP address interval to

% nft add rule filter input ip daddr drop

You can use intervals of any sort of constant value. This example uses a TCP port interval:

% nft add rule filter input tcp ports 1-1024 drop

You can also use intervals from sets, the following example shows how to blacklist two intervals of IP addresses:

% nft add rule ip filter input ip saddr {, } drop

Intervals work the same way in verdict maps:

% nft add rule ip filter forward ip daddr vmap { : jump chain-dmz, : jump chain-desktop }