Hi David, On Mon, Jan 22, 2018 at 02:53:09PM +0100, David Fabian wrote: > Hello, > > we have a firewall written in bash (using iptables) that is organized by > customer VLANs. Each VLAN has its own set of bash variables holding things > like uplink iface names, gateway IPs, etc. We want to rewrite the firewall to > nftables but are stuck on the fact that nft variables cannot be overridden in > the same scope. We have each VLAN configuration in a separate file containing > pre/post-routing, input, output and forward rules,and we include those files to > a master firewall configuration. One solution is to rename all the variables > with some VLAN specific (pre/su)ffix. But that is cumbersome. > > I have made a small patch to nft which adds two new keywords - undefine and > redefine. undefine simply undefines a variable from the current scope. redefine > allows one to change a variable definition. The patch works against the latest > fedora nft (version 0.7) but I believe it should work against master as well. > I don't know how to properly send the patch to the project so I am attaching > it here. I would like to know your opinion. Thanks for sending us this patch. Question here: If we allow to pass variable definitions via -D option from the command line, would that work for you too? I'm asking here because I would need to understand better how you've structured your scripts, if you could explain a bit more, we would appreciate. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
