1

I want to create an nftables filter rule that drops traffic where the source and destination address are equal. Nftables only allows to compare addresses against constants or sets/maps. So I tried to add the destination address to a map and then compare the source address against the map.

I tried:

table inet my_table {
  map srcdest { type ipv4_addr: ipv4_addr; }
  chain my_chain {
    meta nfproto ipv4 update @srcdest { ip saddr : ip daddr }
    meta nfproto ipv4 ip saddr ip saddr map @srcdest drop
  }
}

but get a syntax error, unexpected drop at the drop in the last line.

I was expecting that

ip saddr map @srcdest

would perform a lookup of the source address in the map and return the destination address, so the line would translate to something like:

meta nfproto ipv4 ip saddr 192.168.1.1 drop
Improve this question
Related questions
0
Using dport a a variable in nftables
1
Troubleshooting NFTables Table Creation with Go
1
What is the dot (.) in an Nftables rule
Load 2 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.