On Mon, Dec 12, 2016 at 08:39:47PM -0800, Mark Morgan wrote:
[...]
> For now, I converted some of my ipsets to nftables format. The problem
> I'm having is that while there is an "include" directive which allows
> me to separate out my ipsets into manageable separate files, there is
> no mechanism I can see to actually reference these sets. Example:
>
> # nftables.conf
> @include "nftables.foobar"
> table inet filter { /* stuff in here */ }
>
> # nftables.foobar
> table ip foobar { set country_block { /*blah blah*/ } }
>
> Now I want to reference "set country_block" from my inet filters. I
> can't find any documentation on how to reference a set in another
> table. The "@country_block" reference seems to be scoped to only the
> current table, with no way I can find to have it reference a set in
> another table. I really do not want to store all of my ip sets in a
> single large file/table. That would be worse than what I have today
> with iptables.
>
> Am I missing an feature that perhaps isn't documented that would make
> this all work, or is there a forth coming feature that might make this
> possible to do in the future?
I'd suggest you use a variable definition, eg.
# cat nftables.conf
include "./nftables.foobar"
table ip filter {
set country_block {
type ipv4_addr
elements = $country_block
}
}
# cat nftables.foobar
define country_block = { 1.2.3.4, \
4.3.2.1 }
Thus you maintain a single file with the address list.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
