Skip to main content
Unix & Linux

Return to Question

added 569 characters in body
Source Link
aphid
aphid
  • 209
  • 1
  • 10

This does not work (via systemd restart nftables, which should load /etc/nftables.conf):

cat /etc/nftables.d/forward/example.conf

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

Neither does this (using a concatenation example)

ip daddr . meta oifname {5.6.7.8/30 . "eth2"} accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Statement after terminal statement has no effect

Note: Contents of /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority filter;
        }
        chain forward {
                type filter hook forward priority filter;
                include "/etc/nftables.d/forward/*.conf"
        }
        chain output {
                type filter hook output priority filter;
        }
}

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

This does not work:

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

Neither does this (using a concatenation example)

ip daddr . meta oifname {5.6.7.8/30 . "eth2"} accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Statement after terminal statement has no effect

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

This does not work (via systemd restart nftables, which should load /etc/nftables.conf):

cat /etc/nftables.d/forward/example.conf

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

Neither does this (using a concatenation example)

ip daddr . meta oifname {5.6.7.8/30 . "eth2"} accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Statement after terminal statement has no effect

Note: Contents of /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority filter;
        }
        chain forward {
                type filter hook forward priority filter;
                include "/etc/nftables.d/forward/*.conf"
        }
        chain output {
                type filter hook output priority filter;
        }
}

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

added 223 characters in body
Source Link
aphid
aphid
  • 209
  • 1
  • 10

This does not work:

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

Neither does this (using a concatenation example)

ip daddr . meta oifname {5.6.7.8/30 . "eth2"} accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Statement after terminal statement has no effect

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

This does not work:

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

This does not work:

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

Neither does this (using a concatenation example)

ip daddr . meta oifname {5.6.7.8/30 . "eth2"} accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Statement after terminal statement has no effect

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?

Source Link
aphid
aphid
  • 209
  • 1
  • 10

nftables: Filter on interface and ip block?

This does not work:

meta oifname "eth2" ip daddr 5.6.7.8/30 accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

But this also does not work:

ip daddr 5.6.7.8/30 meta oifname "eth2" accept
^^^^^^^^^^^^^^^^^^^ ~~~~
Error: Statement after terminal statement has no effect

How do I do both, which would be necessary if this ip range isn't always routed to eth2 (policy routes, for example), and eth2 doesn't just contain this ip range?