Page MenuHomeVyOS Platform

Firewall - Add packet type matcher (pkttype)
Needs testing, Requires assessmentPublicFEATURE REQUEST



Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.fort changed the task status from Open to Confirmed.Mon, Mar 6, 10:54 AM
n.fort claimed this task.
n.fort created this task.
n.fort changed Version from - to vyos-1.4-rolling-202303060908.
Viacheslav changed the task status from Confirmed to In progress.Mon, Mar 6, 6:47 PM

@n.fort I apologize for the late entry here - could this also be exposed for NAT rules?
Edit: wow you guys worked so fast on this it got pulled before I could add this request :D

@n.fort @Viacheslav
Here is an example of what I am after for DNAT rule, specifically, using meta pkttype:

nft add rule inet firewall dstnat_chain meta pkttype host tcp dport 80 ip daddr != @rfc1918 counter dnat to

and how it looks in nft list ruleset output:

chain dstnat_chain {
        meta pkttype host tcp dport 80 ip daddr != @rfc1918 counter packets 0 bytes 0 dnat ip to
n.fort changed the task status from In progress to Needs testing.Mon, Mar 13, 3:44 PM

@n.fort A quick test of this against latest rolling looks like it's working as expected for general firewall rules:


[email protected]:~$ sh version
Version:          VyOS 1.4-rolling-202303120743
Release train:    current

Built by:         [email protected]
Built on:         Sun 12 Mar 2023 07:43 UTC
Build UUID:       f0413059-7c5d-4744-a466-367e167102a2
Build commit ID:  fdc0441a77f010

Operational firewall view:

[email protected]:~$ show firewall name OUTSIDE-LOCAL rule 31
Rule Information


  Rule  Action    Protocol      Packets    Bytes  Conditions
------  --------  ----------  ---------  -------  -------------------------------------------
    31  accept    tcp                 1       52  ct state new tcp dport 22 meta pkttype host

[email protected]:~$

Configuration firewall view:

[email protected]# show firewall name OUTSIDE-LOCAL rule 31
 action accept
 description "Allow SSH"
 destination {
     port 22
 packet-type host
 protocol tcp
 state {
     new enable

NFT ruleset view:

[email protected]:~$ sudo nft list ruleset | grep pkttype
                ct state new tcp dport 22 meta pkttype host counter packets 1 bytes 52 return comment "OUTSIDE-LOCAL-31"
[email protected]:~$

When I adjust the above rule 31 to type "other", it prevents SSH to the local host, as expected!

Only remaining issue for me is that I cannot use it for nat rules. Can the meta pkttype functionality also be enabled for nat rules? (valid example per T5055#144579)

Missing NAT functionality:

[email protected]# set nat destination rule 100 packet-type

  Configuration path: nat destination rule 100 [packet-type] is not valid


Thank you again for implementing this!

I'll work on it on the next days.
I'll keep you posted!

@n.fort I was too impatient to wait for a rolling build so I ran my own build of current post-merge.

Happy to report that my initial tests show this is working exactly how I hoped it would! Thank you again for the super fast implementation of this feature.

My judgement may have been too hasty. The commands are accepted by VyOS configure, but it looks like the meta pkttype host is being ignored by my new nftables rules. That is, all IP addresses are matching, not just actual VyOS host router IP addresses.

After a bit more digging, it looks like I might need some NFT_META modules enabled or statically configured ("CONFIG_NFT_META" and/or "CONFIG_NFT_BRIDGE_META") in the kernel.

External references here:

Can you please take a look and see if this is what's needed? Thank you again for all your work on this.

I have certain doubts about it.
Netfilter documentation is not always perfect, and many times you may find out some different options.

I think that pkttype matcher actually is able to match three types of traffic:

  • Unicast (not able to distinguish betwerrn host and other)
  • Broadcast
  • Multicast


Also, from iptables doc (I know this is nftables, but most probably this is the same):


This module matches the link-layer packet type.
--pkt-type [unicast|broadcast|multicast]