Currently, on ipv6 we can match hoplmit values, for example:
vyos@vyos# set firewall ipv6-name FOO rule 10 hop-limit
Possible completions:
eq Value to match a hop limit equal to it
gt Value to match a hop limit greater than or equal to it
lt Value to match a hop limit less than or equal to it
[edit]
vyos@vyos# set firewall ipv6-name FOO rule 10 hop-limit gt 10
[edit]
vyos@vyos# set firewall ipv6-name FOO rule 10 action accept
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo nft list chain ip6 filter NAME6_FOO
table ip6 filter {
chain NAME6_FOO {
ip6 hoplimit > 10 counter packets 0 bytes 0 return comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}But for IPv4, there's no option for matching ttl:
vyos@vyos# set firewall name FOO rule 10 Possible completions: action Rule action [REQUIRED] description Description > destination Destination parameters disable Option to disable firewall rule > fragment IP fragment match > icmp ICMP type and code information > ipsec Inbound IPsec packets > limit Rate limit using a token bucket filter log Option to log packets matching rule protocol Protocol to match (protocol name, number, or "all") > recent Parameters for matching recently seen sources > source Source parameters > state Session state > tcp TCP flags to match > time Time to match rule
This option should be added, so ttl-hoplimit match is available on both stacks.
References:
IPv4: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ip
IPv6: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ip6