On Thu, Feb 01, 2018 at 10:50:53AM +0300, hdemir wrote: > Hi, > > I found this conversation; > > https://www.spinics.net/lists/netfilter/msg56947.html > > It would be useful to have NET function as ipset has. > > > hash:net,net > hash:net,port,net > hash:net,iface It's already possible, eg. nft add table filter nft add chain filter x nft add set filter whitelist2 { type ipv4_addr . inet_proto . inet_service . ipv4_addr \;} nft add element filter whitelist2 { 10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" } nft add rule filter x ip saddr and 255.255.255.0 . ip protocol . tcp dport . ip daddr @whitelist2 counter So the trick is to do this from rules: nft add rule filter x ip saddr and 255.255.255.0 . ip protocol . tcp dport . ip daddr @whitelist2 counter ^^^^^^^^^^^^^^^^^ We should support /24 (cidr notation) instead at some point though, this just needs some code in the userland. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
