On Wed, Nov 28, 2018 at 07:30:19AM -0500, Jeremy Jackson wrote:
>
> On 2018-11-18 6:31 p.m., Pablo Neira Ayuso wrote:
> > On Sun, Nov 18, 2018 at 07:51:13AM -0500, Jeremy Jackson wrote:
> > > On 2018-11-17 2:44 p.m., Florian Westphal wrote:
> > > > Jeremy Jackson <jerj@xxxxxxxxxxxx> wrote:
> > > > > I have a bash script which implements zone-based iptables firewall rules
> > > > > similar to firewalld or Cisco PIX. The key ingredient is the ability to
> > > > > iterate over a list of network interfaces, to create chains and rules for
> > > > > every input to output interface combination:
> > > > >
> > > > > I would like to do this with the nft utility or at least with a libnftables
> > > > > C library based utility.
> > > > >
> > > > > Would a contributed looping construct be welcomed into the nft utility? It
> > > > > already has variables. A minimal implementation would be a single keyword
> > > > > "permute-interfaces $iif $oif"
> > > > I find it hard to answer without any context of what this would look
> > > > like.
> > > >
> > > > In/Out Combinations would normally look similar to this:
> > > >
> > > > add rule filter forward meta iif . meta oif { "eth0" . "ppp0", "eth0 . "veth0" }
> > > >
> > > > (instead of { ... }, a named set could be used that can then be changed
> > > The iteration is what generates that set on the fly. Example:
> > >
> > > Given the set of interfaces in a named set $ifset { eth0, eth1, ppp0 }, the
> > > statement
> > OK, so goal is some sort of macro expansion if I understand correctly.
> >
> > ...
> > > I would like to avoid having to load another language interpreter to do such
> > > a trivial thing, when nft already has a parser built in.
> > Yes, having built-in stuff is the way to go. Note sure this is the
> > best way to express this. We can probably introduce loops for
> > expansions and add some built-in function to permute on a list of any
> > arbitrary datatype.
> >
> > I would prefer we explore this rather than starting to add
> > datatype-specific macro-like features.
>
> I agree in principle and I did think of that... OTOH I might not have the
> patience to do that so I thought about a compromise, maybe for proof of
> concept?
PoC is fine indeed.
> In any case, I will begin by adapting my bash script, migrating as much as
> possible to nftables scripts, by using variables, include files, etc. Then
> it should be obvious the minimum required permutation function.
>
> I'm hoping to find it is possible to include the same file multiple times,
> changing some variables before each inclusion. If so then the required
> changes to nft should be minimal.
Please, describe your needs regarding this multiple times file
inclusion, this is useful if they are not currently satisfied.
Thanks.
