Kamil Jońca <kjonca@xxxxx> wrote: > What is the best way to create rules used to ipsec traffic filtering? > > So far I have bunch rules created per reqid like that: > table ip filter { # handle 13 > > chain INPUT { # handle 1 > type filter hook input priority filter; policy drop; > iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326 > [...] [..] > But I believe this is not the best method for nftables. So has anybody > suggestion what is the best practicte to handle this situation? > I tried to use maps/vmaps but reqid cannot be use as index. Thats a bug / missing feature, it should be possible to use reqid in concatenated keys too. I've sent a patch for this: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@xxxxxxxxx/