Sets and ranges of numbers in nftables

One of the things that I learned during my work translating the iptables multiport match to the native port handling interface of nft is that the port range syntax and sets are different.

So, for example, a port range approach in iptables could be:

$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT

the translation to nft is:

nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept

Or

nft add rule ip filter INPUT ip protocol tcp tcp dport { 80-88} counter accept

But, by design, they mean a very different thing. The first nft approach shows a simple port range but the second one created a set with one element which is a port range in it.

In reality, both works but the first one would fit better for just one port range structure.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s