Jeremy Jackson <jerj@xxxxxxxxxxxx> wrote:
> I have a bash script which implements zone-based iptables firewall rules
> similar to firewalld or Cisco PIX. The key ingredient is the ability to
> iterate over a list of network interfaces, to create chains and rules for
> every input to output interface combination:
>
> I would like to do this with the nft utility or at least with a libnftables
> C library based utility.
>
> Would a contributed looping construct be welcomed into the nft utility? It
> already has variables. A minimal implementation would be a single keyword
> "permute-interfaces $iif $oif"
I find it hard to answer without any context of what this would look
like.
In/Out Combinations would normally look similar to this:
add rule filter forward meta iif . meta oif { "eth0" . "ppp0", "eth0 . "veth0" }
(instead of { ... }, a named set could be used that can then be changed
on the fly). You can also combine this with jumps and gotos to chains:
table ip filter {
map ifmap {
type ifname . ifname : verdict
elements = { "eth0" . "eth1" : accept,
"eth0" . "eth2" : drop,
"eth0" . "veth0" : goto tun }
}
chain forward {
type filter hook forward priority 0;
iifname . oifname vmap @ifmap
drop
}
chain tun {
}
}
... so I don't understand how iteration could be applied in any way.
Can you perhaps illustrate an example?
Thanks.
