Hi All,
I'm using the following syntax to dynamically update the forward
chain. It's working fine. I was just wondering if there was a
different way to do the same thing. More efficient possibly?
nft add chain firewall forward { type filter hook forward priority 0
\; policy drop \; }
nft add map firewall forward_outgoing { type ipv4_addr : verdict \; }
nft add map firewall forward_incoming { type ipv4_addr : verdict \; }
nft add rule firewall forward iif eth2 ip saddr vmap @forward_outgoing
nft add rule firewall forward oif eth2 ip daddr vmap @forward_incoming
nft add element firewall forward_outgoing { 192.168.0.100 : accept}
nft add element firewall forward_incoming { 192.168.0.100 : accept}
nft list table firewall
table ip firewall {
map forward_outgoing {
type ipv4_addr : verdict
elements = { 192.168.0.100 : accept }
}
map forward_incoming {
type ipv4_addr : verdict
elements = { 192.168.0.100 : accept }
}
chain forward {
type filter hook forward priority 0; policy drop;
iif "eth2" ip saddr vmap @forward_outgoing
oif "eth2" ip daddr vmap @forward_incoming
}
}
Thanks in advance,
ad^2
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
