Hi Pablo,
Thanks for the response. Do I need kernel 4.2 to support this? I'm on 4.1 currently and the command below is erroring:
# nft add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
<cmdline>:1:55-79: Error: Could not process rule: Invalid argument
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
^^^^^^^^^^^^^^^^^^^^^^^^^
<cmdline>:1:55-79: Error: Could not process rule: No such file or directory
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
^^^^^^^^^^^^^^^^^^^^^^^^^
<cmdline>:1:1-79: Error: Could not process rule: No such file or directory
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(table named firewall and both 'forward' and 'test' chains configured).
----------------------------------------
> Date: Thu, 3 Sep 2015 18:35:25 +0200
> From: pablo@xxxxxxxxxxxxx
> To: ajchapman88@xxxxxxxxxxxxx
> CC: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: nftables multi-dimensional dictionaries
>
> On Wed, Sep 02, 2015 at 10:17:12AM +0100, Alex Chapman wrote:
>> Hi,
>>
>> Are multi-dimensional dictionaries supported in nftables? For example:
>>
>> nft add rule ip filter forward meta iifname . meta oifname { \ eth0 . eth1 : jump chain \ }
>
> Currently we don't support oifname and oifname, the utility complains
> since it's a variable length datatype. But I think we can fix this by
> using the maximum length.
>
> Anyway, meanwhile you can use iif and oif for device whose device
> index is not expected to change.
>
> So this is how what you need looks like:
>
> nft add rule ip filter forward \
> meta iif . meta oif vmap { eth0 . eth1 : jump test-chain }
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
