Re: [nftables] possible to utilise sets across different tables?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: ѽ҉ᶬḳ℠ <vtol@gmx.net>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: [nftables] possible to utilise sets across different tables?
Date: Fri, 25 Sep 2020 14:11:13 +0200	[thread overview]
Message-ID: <20200925121113.GA25890@salvia> (raw)
In-Reply-To: <f1e6e7f6-d9e2-cc93-1a64-acc5599b25a9@gmx.net>

On Fri, Sep 25, 2020 at 09:52:00AM +0000, ѽ҉ᶬḳ℠ wrote:
> On 23/09/2020 13:43, ѽ҉ᶬḳ℠ wrote:
> > Would it be possible to generate a set in 'table inet' based on 'saddr 
> > ct state invalid drop' and then utilise the same set in a 'table netdev
> > rule', for offending saddr getting blocked early?
> > 
> 
> Tried some variations but none worked out and thus it seems deployment of
> sets across families is not supported. Though I reckon it would be a
> beneficial feature:
> 
> * mitigate repetition of same sets that are applicable for different
> families
> * gather set data in one family, e.g offenders' saddr from inet, and deploy
> such set in a rule in a different family, e.g. in netdev for blocking such
> offenders early on

This is feasible. I have an incomplete patchset to enable this, I'll
try to scratch some time to finish this.

     prev parent reply	other threads:[~2020-09-25 12:11 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-23 11:43 [nftables] possible to utilise sets across different tables? ѽ҉ᶬḳ℠
2020-09-25  9:52 ` ѽ҉ᶬḳ℠
2020-09-25 12:11   ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200925121113.GA25890@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter@vger.kernel.org \
    --cc=vtol@gmx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox