Hello,
I want to script nft rules using sh + nft. The sh script contains
variables set for the host and passed to nft using include like eg
include "/etc/nftables/local.conf"
It's OK for definition of IPs or port but not for alaphanumerical
variables. For instance, I want to pass as variable icmp_limit (number)
and icmp_measure (alpha) to include them in nft rule like blabla ...
limit rate over $icmp_limit/$icmp_measure ...
define icmp_limit = { 20 }
define icmp_measure = minute
but the result gives
In file included from ./ip4fw.nft:3:1-35:
/etc/nftables/local.conf:10:23-28: Error: syntax error, unexpected minute
define icmp_measure = minute
^^^^^^
./ip4fw.nft:36:110-110: Error: syntax error, unexpected '$', expecting
number
add rule ip filter input iif $IFACE meta l4proto icmp icmp type {
echo-reply, echo-request } limit rate over $icmp_limit/$icmp_measure
counter drop
Same for KEEPSTATE variable but IFACE one is OK
define IFACE = ens3
define KEEPSTATE = "state related, established"
./ip4fw.nft:49:40-40: Error: syntax error, unexpected '$'
add rule ip filter input iif $IFACE ct $KEEPSTATE counter accept
What is the way to define alphanumerical variables ? I tried to escape
quotes with \ to remove them, to escape slash with \, no way to achieve
my goal :(
Thanks for any hint
--
Daniel
