I'd like to move to nftables (Ubuntu trusty, kernel 3.19). However I wonder how to migrate ebtables rules for ARP packets:
-p ARP --arp-op Request --arp-ip-src 192.168.178.237 --arp-mac-src 2:fb:c5:e0:ef:a3 -j ACCEPT
The command nft add rule bridge filter qemu1-o arp operation request counter accept works, however I can't figure out how to add the ip/mac contraints to the rule.
Unfortunately nftables have no implemented syntax for source and destination ipv4 address in arp tables right now.
Empirically I found out that the next expressions can be used instead:
plen 4 @nh,64,32 (source ip)plen 4 @nh,96,32 (destination ip) IPv4 address in value should be specified in decimal integer type.
You can use some online converter for get your IP-address to numeric format.
In your example 192.168.178.237 will be 3232281325
So final rule will looks like:
nft add rule arp filter input arp operation request arp plen 4 @nh,64,32 3232281325 ether saddr 2:fb:c5:e0:ef:a3 counter accept
PS: You can use xtables-nft-multi from the last iptables package which provides nf_tables compat backend for import your old commands and check the new syntax.
