On 23 January 2018 at 04:40, David Fabian <david.fabian@xxxxxxx> wrote: > Hello Pablo, > > Dne úterý 23. ledna 2018 12:07:28 CET, Pablo Neira Ayuso napsal(a): >> I'm asking here because I would need to understand better how you've >> structured your scripts, if you could explain a bit more, we would >> appreciate. > > I have packed an excerpt of a playground FW with two VLANs 3 and 54. The > configuration already uses my redefine keyword. > > ftp://ftp.bosson.eu/pub/tmp/nftables_excerpt.tar.gz > > The intended use case is to call nft -f fw-on and reload the firewall from > scratch every time there is a config change. I don't know how a cmdline > parameter would help us with it. Maybe if we would wrap nft calls with bash > scripts but that would defeat the purpose of using the nft scripting > capabilities in the first place. > > The most important for us is to have the FW logically structured for every > customer and every FW rule related to a customer should be in his/her VLAN > config file. > Your approach (redefining variables) doesn't save so much typing at the end of the day. My suggestion is to simply create one variable per value: define INET_IFACES_VLAN43 = { bond0.x, bond3.y} define INET_IFACES_VLAN3 = { bond3.x, bond3.y} define XXX_VLAN43 = xxx define XXX_VLAN3 = xxx you could generate such a file, something like 'defines.nft' and include it once in your main ruleset file. If you will perform many updates to this file, you could even maintain this in git to keep track of changes. Example: https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example Other option is you create some kind of shell wrapper to replace variable names before running nft -f (something like make .in files), but that's even uglier? I don't know. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
