From: Brian Allen Vanderburg II <brianvanderburg2@aim.com>
To: netfilter-devel@vger.kernel.org
Subject: nftables with ipset combined types
Date: Wed, 29 Jan 2014 02:27:50 -0500 [thread overview]
Message-ID: <52E8AD76.5050808@aim.com> (raw)
I use ipset for my setup to simplify certain iptables rules. I have
rules to allow trusted networks and trusted services using two different
sets. The services set is a hash:net,port set, and the network set its
a hash:net,iface set. Is it planned to have sets that can contain
multiple value entries in nftables? Also, as some of my interfaces are
dynamic, would such sets support interface names instead of indexes?
Something like { (10.10.1.0/24,"eth0"), (10.20.1.0/24,"tap0") }? Or if
not, is there a way to use the existing ipset utility with nftables?
# Allow access to all services for traffic to/from certain networks on
specific interfaces
iptables -A INPUT -m set --match-set networks src,src -j ACCEPT
iptables -A OUTPUT -m set --match-set networks dst,dst -j ACCEPT
# Allow access to specific services from certain networks
iptables -A INPUT -m set --match-set services dst,src -j ACCEPT
iptables -A OUTPUT -m set --match-set services src,dst -j ACCEPT
# Perhaps translated to nft as
nft filter input ip saddr + iifname @networks accept
nft filter output ip daddr + oifname @networks accept
nft filter input ip saddr + dport @services accept
nft filter output ip daddr + sport @services accept
I have seem that this might be possible with maps, but one feature of a
set over a map that I like seems to be I'd only have to add the matching
information to the set, while the action such as accept, drop, or jump
is not part of the set but is hard-coded in the added rule.
Brian Vanderburg II
next reply other threads:[~2014-01-29 7:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-29 7:27 Brian Allen Vanderburg II [this message]
2014-01-29 9:30 ` nftables with ipset combined types Pablo Neira Ayuso
2014-01-29 11:34 ` Patrick Schaaf
2014-01-29 11:48 ` Arturo Borrero Gonzalez
2014-02-02 23:57 ` Pablo Neira Ayuso
2014-02-03 20:28 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52E8AD76.5050808@aim.com \
--to=brianvanderburg2@aim.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).