On Wed, Jan 22, 2014 at 03:09:30PM +0100, Bjørnar Ness wrote:
> Is it planned (or already implemented) support for multiple value vmaps?
> for example {type uid, type ipv4 : verdict}
We support so called concatenations, basically multiple types glued
together. You can use those for exact matches. However the kernel side
is missing a few bits so far.
Basically:
nft add map uidmap { type uid . ipv4_address : verdict; }
nft filter input uid . ip saddr @uidmap
nft add element uidmap { root . localhost : drop }
The combination doesn't make too much sense of course.
> Also, using iptables I am doing something like this
>
> -A INPUT -j BLOCK
> -A BLOCK -m set --match-set ignorelist src -j RETURN
> -A BLOCK -m set --match-set blocklist src -j DROP
>
> ..to make sure ips listed in ignorelist does not get blocked..
>
> How would I do the same using nft?
nft add set ignorelist { type ipv4_address; }
nft add set blocklist { type ipv4_address; }
nft filter input jump block
nft filter block ip saddr @ignorelist return
nft filter block ip saddr @blocklist drop
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
