MFT rule which filters packet by ip length

Question

I want to create a rule which can accept only these packets which have ip length greater than 2000

so I have my table (my_table) and chain(my_chain) and I am trying something like this:

sudo nft add rule inet my_table my_chain ip length > 2000 counter accept

but I've got the error:

`-bash: 2000: No such file or directory

I believe that there is a problem with '<'. How can I rewrite this rule without using comparison operators? Cause this is working:

sudo nft add rule inet my_table my_chain ip length != 2000 counter accept

but it has different meaning

score 0 · Answer 1 · answered Oct 26 '21 at 18:25

0

ok so ip length != 1-2000 is working

answered Oct 26 '21 at 18:25

Eldragon01

score 0 · Answer 2 · answered Nov 06 '21 at 09:14

0

The shell interprets > as a redirect, so it needs to be escaped with a backslash.

sudo nft add rule inet my_table my_chain ip length \> 2000 counter accept

answered Nov 06 '21 at 09:14

Lobz

2 Answers2