On 03/13/2018 01:36 AM, Fran Fitzpatrick wrote:
> One feature that I've noticed is missing is that there is no
> hash:port:hash equivalent in nftables, which I'm starting to think is
> quite a big gap.
I am honestly not sure what you are asking for...
You can make a ranged/interval set that can span whole subnets with one
entry.
You can use meters (was "flow tables") to do things that "hashlimit" etc
used to do.
The "hashness or not" of the sets, maps, and meters' storage has simply
been declared an implementation detail not shown as explicit wording.
For example:
table ip test {
set iprange {
type ipv4_addr
flags interval
elements = { 192.168.10.0/23 }
}
chain example {
ip daddr @iprange tcp dport 66 counter packets 0 bytes 0
}
}
This set matches a range of ip addresses. Currently there is only one
entry matching the range from 192.168.10.0 to 192.168.11.255.
In the example rule I match the ip address range and then separately
match port 66 in order to trigger a counter.
The second part could also be a ranged set of inet_service type to sweep
up a range of ports.
I'm not sure about interval concatenations. A quick experiment shows
that they are syntactically legal to declare, but I didn't look into
data syntax or boundary conditions.
So without seeing what exactly you are trying to do or replace I'm not
sure how to answer your question with greater specificity.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
