Good morning,
I'm trying to see if I can improve our nftables ruleset performance by
using very generic sets/maps. Currently we have different sets for
every L4 protocol with jumps to different protocol chains, but I'm
attempting to see if I can combine them into one set:
nft flush ruleset
nft add table ip filter
nft add map filter test { type iface_index . inet_proto . ipv4_addr .
inet_service : verdict \; }
nft add chain filter input { type filter hook input priority 0 \; }
nft add element filter test { eth0 . tcp . 1.2.3.4 . ssh : accept }
nft add element filter test { eth0 . udp . 1.2.3.4 . 53 : accept }
nft add element filter test { eth0 . tcp . 1.2.3.4 . 53 : drop }
While that works just fine, the problem comes when writing the rule.
Since my goal is to reduce the number of rules a packet will hit as
much as possible, I *want* to have a rule that would look something
like this:
nft add rule filter input meta iif . meta l4proto . ip daddr .
@test[1] dport vmap @test
Which would essentially "use" part of the concatenation to determine
which payload header to use.
Or perhaps something like this would be useful for me:
nft add rule filter input meta iif . meta l4proto . ip daddr . {tcp,
udp} dport vmap @test
After writing the majority of this e-mail, I came across using the Raw
Expression example in the docs about matching dport for both UDP and
TCP, but that also doesn't work for me since variable sized datatypes
aren't allowed in concat expressions:
nft add rule filter input meta iif . meta l4proto . ip daddr .
@th,16,16 vmap @test
Error: can not use variable sized data types (integer) in concat expressions
add rule filter input meta iif . meta l4proto . ip daddr . @th,16,16 vmap @test
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
So, is there anything currently available (or "on the way") that
enables the functionality above? Or should I just continue with
sets/maps per-protocol?
Thanks,
Fran Fitzpatrick
