On 06/20/2018 12:23 AM, ѽ҉ᶬḳ℠ wrote:
> nft 0.8.2
>
> For the use of |meter| I would like to concatenate ifaces, to
> distinguish between wan and lan. For sets there does not seem a suitable
> string (e.g. |iface_name|) available though and |ether_addr| can be
> spoofed, however likely it might be for someone/a.i. to match the wan's nic.
>
> Thus I was trying |meta iifname ne { lo, br* }| but that throws an error.
I use interface group numbers for this. It's very fast and easy to do.
#in your network interface provisioning:
ip link set dev br1 group 2
ip link set dev br2 group 2
(...etc...)
#in your nft script
iifgroup eq 2 drop
(...or whatever...)
you can use things like greater-than operator "gt" or "lt" for less-than
if you organize things well.
I use larger numbers for more trusted interfaces. So gt is my operator
of choice, putting interfaces in 2 and bridges in 3, while external
interfaces are 1 and interfaces coming up or down is zero.
As an added bonus all interfaces start life as group zero and an
interface can be moved from group to group as needed. So now your
interface names don't matter at all.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
