On 04.06.2022 17:34, Kamil Jońca wrote:
--8<---------------cut here---------------start------------->8---
tcp dport ssh ip saddr $host_6 accept;
--8<---------------cut here---------------end--------------->8---
Bear in mind, you should use ip6 whenever you want filtering V6 addresses
tcp dport ssh ip6 saddr $host_6 accept;
On 04.06.2022 17:34, Kamil Jońca wrote:
Marc Haber <mh+netfilter@xxxxxxxxxxxx> writes:
Hi,
I am somewhat a newbie to nft, but I have been doing Linux packet
filtering for way more than 20 years, starting with ipfwadm back in 1997
or 1998.
In nft, I would like to be able to write something along the lines of
|@@def $host = (85.214.160.151 2a01:238:42bc:a101::2:100)
|
|chain INPUT saddr $host proto tcp dport 22 ACCEPT
I think that strictly speaking this (=mixing ipv6 and ipv4 in one
set[1]) is not possible.
but there is no problem separately (as you probably know this)
--8<---------------cut here---------------start------------->8---
define host_4 = { 85.214.160.151 , .. and other hosts.. }
define host_6 = { 2a01:238:42bc:a101::2:100 , and other hosts }
tcp dport ssh ip saddr $host_4 accept;
tcp dport ssh ip saddr $host_6 accept;
--8<---------------cut here---------------end--------------->8---
When you talking about "hundreds" of addresses - you probably will need
to use some kind of script to split ipv6/ipv4 addresses.
Or use named set and manipulate them separately on the fly.
KJ
[1] - i know that ipv4 space is mapped into some subset of ipv6
--
With Best Regards
Alov, igor
