Currently on Linux 5.15 with nft 0.9.8.
I'd like to be able to match on the value of a map lookup. For
instance, something like:
ip saddr iifname map { eth0 : 192.168.1.1, eth1 : 192.168.2.1 } ...
meaning "map the input interface to an IP address and match the result
against the source address". But if this is supported, I can't figure
out the syntax.
More complicatedly, I'd also like to be able to reference individual
elements in a value tuple. For example, I'd like to be able to do
something like:
map iface_to_net {
type ifname : ipv4_addr . ipv4_addr;
elements = { eth0 : 192.168.1.1 . 255.255.255.0, eth1 :
192.168.2.1 . 255.255.255.0 }
}
ip saddr & iifname map @iface_to_net [0] vmap { iifname map
@iface_to_net [0] &iifname map @iface_to_net [1] : accept }
That is, "accept if the source address is on the same network as the interface".
Also, is there any plan to allow for CIDR blocks to be values of their
own instead of intervals? It would be nice to be able to map keys to
CIDR blocks that can be directly used in address matching.
Thanks,
Kyle
