Re: exclude named sets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yes they are named sets. I define them like this:

root@anvil:~# grep "include" /etc/nftables.conf
include "/etc/nftables/*.nft"
root@anvil:~# cat /etc/nftables/nftables-stormwall.nft
table ip nat {

        set stormwall {
                type ipv4_addr;
                flags interval;
                auto-merge;
                elements = { 185.121.240.0/22,
        185.121.240.0/24,
        185.121.241.0/24,
        185.121.242.0/24,
        185.121.243.0/24,
        185.71.64.0/24,
        185.71.66.0/24,
        193.84.85.0/24,
        193.84.88.0/24,
        193.84.90.0/24,
        5.252.32.0/24,
        5.252.33.0/24,
        5.252.34.0/24,
        5.252.35.0/24
        }
    }
}
root@anvil:~#

According to nftables wiki
(https://wiki.nftables.org/wiki-nftables/index.php/Sets)
I can do like this:

nft add rule ip filter output ip daddr != @blackhole accept

But, probably not like this
nft add rule ip filter output ip daddr != {@akamai, @stromwall} accept

-- 
Talk is cheap, show me the code (c) Linus Torvalds
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux