Serguei Bezverkhi (sbezverk) <[email protected]> wrote: > Hello, > > I am trying to find an equivalent nft command for the following iptables > command. Specifically "physdev" and "addrtype", I could not find so far, > some help would be very appreciated.
> -m physdev ! --physdev-is-in This has no equivalent. The rule above matches when 'call-iptables' sysctl is enabled and the packet did not enter via a bridge interface. So, its only false when it did enter via a bridge interface. In case the sysctl is off, the rule always matches and can be omitted. nftables currently assumes that call-iptables is off, and that bridges have their own filter rules in the netdev and/or bridge families. inet/ip/ip6 are assumed to only see packets that are routed by the ip stack. > -m addrtype ! --src-type LOCAL fib saddr type != local
