[ please don't drop CCs ]
On Wed, Jan 22, 2014 at 04:09:15PM +0100, Bjørnar Ness wrote:
> 2014/1/22 Patrick McHardy <kaber@xxxxxxxxx>:
> > On Wed, Jan 22, 2014 at 03:09:30PM +0100, Bjørnar Ness wrote:
> >> Is it planned (or already implemented) support for multiple value vmaps?
> >> for example {type uid, type ipv4 : verdict}
> >
> > We support so called concatenations, basically multiple types glued
> > together. You can use those for exact matches. However the kernel side
> > is missing a few bits so far.
> >
> > Basically:
> >
> > nft add map uidmap { type uid . ipv4_address : verdict; }
> > nft filter input uid . ip saddr @uidmap
> > nft add element uidmap { root . localhost : drop }
>
> Ok, I see.. this sortoff works, any plans to change from concat to
> multiple types?
Why? It is multiple types. The thing is if you do multidimensional
lookups things get a lot more inefficient. For the purpose of
equality (or membership) it doesn't make any difference.
> > The combination doesn't make too much sense of course.
> >
> >> Also, using iptables I am doing something like this
> >>
> >> -A INPUT -j BLOCK
> >> -A BLOCK -m set --match-set ignorelist src -j RETURN
> >> -A BLOCK -m set --match-set blocklist src -j DROP
> >>
> >> ..to make sure ips listed in ignorelist does not get blocked..
> >>
> >> How would I do the same using nft?
> >
> > nft add set ignorelist { type ipv4_address; }
> > nft add set blocklist { type ipv4_address; }
> >
> > nft filter input jump block
> > nft filter block ip saddr @ignorelist return
> > nft filter block ip saddr @blocklist drop
>
> Could this be done in cleaner way with nft, for example
>
> nft filter input ip saddr @ignorelist jump_over_next_rule_or_to_label
> nft filter input ip saddr @blocklist drop
> nft filter input add label jumplabel
I guess we have different opinions what constitutes cleaner.
We don't support jumps to rules, but it should be possible
quite easily to change the code to support:
nft filter input ip saddr !@ignorelist ip saddr @blocklist drop
to put this into a single rule.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
