Currently, on ipv6 we can match hoplmit values, for example:
vyos@vyos# set firewall ipv6-name FOO rule 10 hop-limit Possible completions: eq Value to match a hop limit equal to it gt Value to match a hop limit greater than or equal to it lt Value to match a hop limit less than or equal to it [edit] vyos@vyos# set firewall ipv6-name FOO rule 10 hop-limit gt 10 [edit] vyos@vyos# set firewall ipv6-name FOO rule 10 action accept [edit] vyos@vyos# commit [edit] vyos@vyos# sudo nft list chain ip6 filter NAME6_FOO table ip6 filter { chain NAME6_FOO { ip6 hoplimit > 10 counter packets 0 bytes 0 return comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
But for IPv4, there's no option for matching ttl:
vyos@vyos# set firewall name FOO rule 10 Possible completions: action Rule action [REQUIRED] description Description > destination Destination parameters disable Option to disable firewall rule > fragment IP fragment match > icmp ICMP type and code information > ipsec Inbound IPsec packets > limit Rate limit using a token bucket filter log Option to log packets matching rule protocol Protocol to match (protocol name, number, or "all") > recent Parameters for matching recently seen sources > source Source parameters > state Session state > tcp TCP flags to match > time Time to match rule
This option should be added, so ttl-hoplimit match is available on both stacks.
References:
IPv4: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ip
IPv6: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ip6