If I declare a vmap and reference it this way:
table inet filter {
map dispatch { type ifname : verdict; elements = { lo : accept } }
chain input {
type filter hook input priority filter; policy drop;
iifname vmap @dispatch
I can then add elements at the end of the input file imperatively:
add element inet filter dispatch { tun0 : jump guest_in }
and the expected thing happens:
$ nft list ruleset
table inet filter {
map dispatch {
type ifname : verdict
elements = { "lo" : accept,
"tun0" : jump guest_in }
}
Great. But I would like to have a site-specific include with some
defines. So, I try to pre-declare the vmap, include the site file, and
then define the remaining rules:
add table inet filter
add map inet filter dispatch { type ifname : verdict; elements = { lo
: accept } }
include "/etc/network/site.nft"
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname vmap @dispatch
But this produces the following error on load:
/etc/network/nftables.conf:16:22-30: Error: No such file or directory;
did you mean map ‘dispatch’ in table inet ‘filter’?
iifname vmap @dispatch
^^^^^^^^^
Yet if I remove the reference to eliminate the error, I get the following:
$ nft list ruleset
table inet filter {
map dispatch {
type ifname : verdict
elements = { "lo" : accept,
"tun0" : jump guest_in }
}
I cannot see any difference. Any ideas what is going on here?
Thanks,
Kyle
