I wrote the question quoted below some days ago.
There have been no answers, which surprises mu - I would have thought
that just about everybody would want a way to conditionally in- or
exclude rules.
I have now chosen to assume that there is no such possibility in nft,
and I am now writing a simple preprocessor that will solve my problem.
Another and somewhat related thing I miss is empty anonymous sets. If I
have an nft file containing.
define AllowedIps = { 1.2.3.4, 5.6.7.8 }
...
... daddr $AllowedIps accept
then it might happen that some day both ip addresses are no longer
allowed, and I would then expect that when I changed the "define"
statement to
define AllowedIps = { }
then the rule further below would become a NOP. But nft does not accept
an empty set.
Regards,
Jesper
On 2022-04-27 12:24, Jesper Dybdal wrote:
I am beginning to plan my change from iptables to native nft.
My iptables shell script has some conditionals where rules are
included or not depending on environment variables or other conditions
that are known beforehand. Example: whether or not all interfaces, or
only some, are up.
Is this possible with nft? I.e., something like:
define externalinterfaceready = 1
...
if ( externalinterfaceready) {
... add rules depending on the external interface being up
}
And even better if it could query environment variables.
I haven't seen any description of something like this being possible
in a less clumsy way than dynamically building an include file for
every "if" and include them in the ruleset at suitable points.
Have I overlooked something?
Thanks,
Jesper
--
Jesper Dybdal
https://www.dybdal.dk
