On 19/08/21 11:06 pm, Pablo Neira Ayuso wrote:
* Allow to combine jhash, symhash and numgen expressions with the
queue statement, to fan out packets to userspace queues via
nfnetlink_queue.
... queue to symhash mod 65536
... queue flags bypass to numgen inc mod 65536
... queue to jhash oif . meta mark mod 32
You can also combine it with maps, to select the userspace queue
based on any other singleton key or concatenations:
... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
I upgraded from nftables 0.9.9 to 1.0.0 (Arch Linux).
Earlier I had this statement which used to work in nftables 0.9.9:
define ips_queue = 0
add rule ip foo snortips queue num $ips_queue bypass
And it gave error in nftables 1.0.0:
Aug 20 05:51:00 amish nft[3540]: /etc/nftables4.conf:19:49-54: Error:
syntax error, unexpected bypass, expecting -
Aug 20 05:51:00 amish nft[3540]: add rule ip foo snortips queue num
$ips_queue bypass
So I changed the rule to:
define ips_queue = 0
add rule ip foo snortips queue flags bypass num $ips_queue
But it still gave me error:
Aug 20 05:54:51 amish nft[3649]: /etc/nftables4.conf:19:61-61: Error:
syntax error, unexpected newline, expecting -
Aug 20 05:54:51 amish nft[3649]: add rule ip foo snortips queue flags
bypass num $ips_queue
Then I replaced $ips_queue directly with 0 (zero), and it worked.
add rule ip foo snortips queue flags bypass num 0
So why isn't nftables allowing defined variable?
It used to work till nft 0.9.9
Regards,
Amish