| Concatenations allow for set elements to be of a composite data type.
| type ipv4_addr . inet_service . inet_service
Thank you for that starting point.
I was able to create the set just fine:
$ nft add set ip filter temp4-allowed {type ipv4_addr . inet_service . inet_service \; timeout 4h \;}
...and then I was able to figure out how to add an element:
$ nft add element filter temp4-allowed {192.168.1.1 . 23152 . 23152}
...and checking the set itself looks good:
$ nft list ruleset | command grep --after-context 4 temp4-allowed
set temp4-allowed {
type ipv4_addr . inet_service . inet_service
timeout 4h
elements = { 192.168.1.1 . 23152 . 23152 expires 3h53m48s968ms }
}
In this particular example, sport and dport are equal but they may not always be equal.
I'm struggling to figure out how to add a rule in the nat table. How do we know which inet_service occurrence is sport and which is dport? Could you also please give an example of nat rule that would check temp4-allowed and direct the traffic according to the set entry?
The basic rule looks like this:
# XXXXX=LAN dest IP
# YYYYY=WAN dport
# ZZZZZ=LAN dport
nft add rule nat prerouting iifname "eth0" tcp dport YYYYY dnat XXXXX:ZZZZZ
...but not sure what the rule structure looks like when referencing a set. I am not finding any examples online.
Reminder: nftables 0.9.3 on Debian 10 running kernel 5.4.0-3-amd64.
Thank you for the help!
-MikeD
