* nftables: conditionally enabling rules?
@ 2025-09-30 1:53 Christoph Anton Mitterer
2025-09-30 10:58 ` Kevin P. Fleming
0 siblings, 1 reply; 2+ messages in thread
From: Christoph Anton Mitterer @ 2025-09-30 1:53 UTC (permalink / raw)
To: netfilter
Hey.
What I do is about the following:
I have one main rules file, with some basic rules like:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
meta iif lo accept
icmp type @drop-icmp_types drop
icmpv6 type @drop-icmpv6_types drop
meta l4proto {icmp, ipv6-icmp} accept
}
chain output {
type filter hook output priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
include "/etc/nftables/rules.d/*.nft"
Via the include, any other rules can be added (e.g. allowing ssh)
merely by placing an according file in the directory.
Similarly, I'd like to be able to choose between strong/weak host
model.
Ideally, the ruleset would default to strong host model, via something
like:
nft add rule inet filter input fib daddr . iif type != { local, broadcast, multicast } drop
and only if some use-soft-host-model.nft is placed in rules.d/ it would
remove that rule.
Also, I'd prefer to avid any scripted generation of the rules... with
that it would of course be easy.
Also, no workarounds that cost performance, e.g. by adding the rule in
a regular chain, and have the included file flushthat.
How it cannot be done:
- I cannot simply set the rule in my base file and delete/destroy it in
some included use-soft-host-model.nft file, because AFAIU, I can't
really get the handle of the rule or manually specify one.
So that would only work if I resort to scripting.
- I tried something like:
define hostmodel=strong
(which could be re-defined to "weak" by an included file)
and explicitly include ".../$hostmodel".
But that doesn't work either as var's aren't expanded in strings and
include doesn't accept the plain var.
The only that really works is e.g.:
- insert the rule (in the beginning of the chain) via the included file
- include "/etc/nftables/hostmodel.nft"
and have that be a symlink to either weak (empty) or strong
(contains the above rule) file...
But that wouldn't give me the default-to-strong.
Any ideas? Or is there something like conditional importing?
It would be nice if one could e.g. simply say:
include "foo" if $var eq bar
even better would be, if one could give include a further parameter
that ignores non-existent files (which right now only works with
wildcards).
Thanks,
Chris.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftables: conditionally enabling rules?
2025-09-30 1:53 nftables: conditionally enabling rules? Christoph Anton Mitterer
@ 2025-09-30 10:58 ` Kevin P. Fleming
0 siblings, 0 replies; 2+ messages in thread
From: Kevin P. Fleming @ 2025-09-30 10:58 UTC (permalink / raw)
To: netfilter
On Mon, Sep 29, 2025, at 21:53, Christoph Anton Mitterer wrote:
> Any ideas? Or is there something like conditional importing?
>
> It would be nice if one could e.g. simply say:
> include "foo" if $var eq bar
> even better would be, if one could give include a further parameter
> that ignores non-existent files (which right now only works with
> wildcards).
Would you change the conditions and reload the rules on a frequent basis? If so, I'd suggest that you consider using vmaps and sets instead, whose contents can be changed on-the-fly without reloading the rules.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-30 10:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-30 1:53 nftables: conditionally enabling rules? Christoph Anton Mitterer
2025-09-30 10:58 ` Kevin P. Fleming
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).