Kamil Jońca <kjonca@xxxxx> wrote:
> What is the best way to create rules used to ipsec traffic filtering?
>
> So far I have bunch rules created per reqid like that:
> table ip filter { # handle 13
>
> chain INPUT { # handle 1
> type filter hook input priority filter; policy drop;
> iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
> [...]
[..]
> But I believe this is not the best method for nftables. So has anybody
> suggestion what is the best practicte to handle this situation?
> I tried to use maps/vmaps but reqid cannot be use as index.
Thats a bug / missing feature, it should be possible to use reqid in concatenated keys
too. I've sent a patch for this:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@xxxxxxxxx/
