On Tuesday 2019-01-29 12:08, Florian Westphal wrote:
>
>> add rule ip raw-set peerblock ip daddr @some_set tcp dport vmap { 80:accept,
>> 443:accept } counter drop
>>
>> Which in mind would be: allow 80 and 443, and block the rest.
>> But that actually doesn't work, I mean it doesn't block the rest.
>>
>> Also, does "counter" work with vmap because I see "0" all the time?
Conceptually, the use of a _verdict_ map looks wrong - the traditional
--sport option is not introducing any terminating verdict, but an expression
{port==80 || port==443}. I'd expect nf syntax to be more like
tcp dport none-of/any-of { 80 443 } drop.
