From: Christoph Anton Mitterer <calestyo@scientia.org>
To: netfilter@vger.kernel.org
Subject: nftables: conditionally enabling rules?
Date: Tue, 30 Sep 2025 03:53:25 +0200 [thread overview]
Message-ID: <db91f59a7a80fa48a46edbd90bf5da8a65dd6c3a.camel@scientia.org> (raw)
Hey.
What I do is about the following:
I have one main rules file, with some basic rules like:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
meta iif lo accept
icmp type @drop-icmp_types drop
icmpv6 type @drop-icmpv6_types drop
meta l4proto {icmp, ipv6-icmp} accept
}
chain output {
type filter hook output priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
include "/etc/nftables/rules.d/*.nft"
Via the include, any other rules can be added (e.g. allowing ssh)
merely by placing an according file in the directory.
Similarly, I'd like to be able to choose between strong/weak host
model.
Ideally, the ruleset would default to strong host model, via something
like:
nft add rule inet filter input fib daddr . iif type != { local, broadcast, multicast } drop
and only if some use-soft-host-model.nft is placed in rules.d/ it would
remove that rule.
Also, I'd prefer to avid any scripted generation of the rules... with
that it would of course be easy.
Also, no workarounds that cost performance, e.g. by adding the rule in
a regular chain, and have the included file flushthat.
How it cannot be done:
- I cannot simply set the rule in my base file and delete/destroy it in
some included use-soft-host-model.nft file, because AFAIU, I can't
really get the handle of the rule or manually specify one.
So that would only work if I resort to scripting.
- I tried something like:
define hostmodel=strong
(which could be re-defined to "weak" by an included file)
and explicitly include ".../$hostmodel".
But that doesn't work either as var's aren't expanded in strings and
include doesn't accept the plain var.
The only that really works is e.g.:
- insert the rule (in the beginning of the chain) via the included file
- include "/etc/nftables/hostmodel.nft"
and have that be a symlink to either weak (empty) or strong
(contains the above rule) file...
But that wouldn't give me the default-to-strong.
Any ideas? Or is there something like conditional importing?
It would be nice if one could e.g. simply say:
include "foo" if $var eq bar
even better would be, if one could give include a further parameter
that ignores non-existent files (which right now only works with
wildcards).
Thanks,
Chris.
next reply other threads:[~2025-09-30 2:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 1:53 Christoph Anton Mitterer [this message]
2025-09-30 10:58 ` nftables: conditionally enabling rules? Kevin P. Fleming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db91f59a7a80fa48a46edbd90bf5da8a65dd6c3a.camel@scientia.org \
--to=calestyo@scientia.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).