Le 31/01/2024 à 11:54, Marc Haber a écrit :
[...]
>> At any rate, the follow nftables ruleset is valid. >> >> table inet
filter { set block4 { type ipv4_addr } set block6 { type >> ipv6_addr }
chain INPUT { type filter hook input priority filter; >> policy accept
ip saddr @block4 drop ip6 saddr @block6 drop } } > Isnt that clumsy!
Wouldn't it be so much nicer to be able to write: > > table inet filter
{ set block46 { type ipv46_addr } chain INPUT { > type filter hook input
priority filter; policy accept ip46 saddr > @block46 drop } } > > Having
to write distinct rules makes things more complex and > error-prone.
table inet filter {
set block6 {
type ipv6_addr
}
chain INPUT {
type filter hook input priority filter; policy accept
ip4to6 saddr @block6 drop
ip6 saddr @block6 drop
}
With ip4to6 -type/cmd not existing at this time in nftables-
transforming an ipv4 in ipv4-ipv6 mapped eg 127.0.0.1 =>
::ffff:127.0.0.1 At this time we are already able to map ipv4 addresses
in ipv6 tables like
nft add element inet filter ip-banned-ip6 { ::ffff:1:2:3:4 }
[...]
--
Daniel
