Thank you very much Florian. I will use fib type local as a replacement. Serguei
On 2019-08-22, 10:20 AM, "Florian Westphal" <[email protected]> wrote: Serguei Bezverkhi (sbezverk) <[email protected]> wrote: > Hello, > > I am trying to find an equivalent nft command for the following iptables command. Specifically "physdev" and "addrtype", I could not find so far, some help would be very appreciated. > -m physdev ! --physdev-is-in This has no equivalent. The rule above matches when 'call-iptables' sysctl is enabled and the packet did not enter via a bridge interface. So, its only false when it did enter via a bridge interface. In case the sysctl is off, the rule always matches and can be omitted. nftables currently assumes that call-iptables is off, and that bridges have their own filter rules in the netdev and/or bridge families. inet/ip/ip6 are assumed to only see packets that are routed by the ip stack. > -m addrtype ! --src-type LOCAL fib saddr type != local
