On Wed, 24 Apr 2024, at 7:03 PM, William N. wrote:
> Hi,
>
> I am trying to do this:
>
> # dynamic list, updated through a bash script:
> define $nics = { "nic1", "nic5", ... }
Rather, "define nics".
>
> # ...
> chain foo {
> type filter hook ingress devices = $nics priority -500
> # ...
> }
>
> The problems I am facing:
>
> 1. It seems the perfect solution I was hoping for is not possible:
>
> devices = "nic*"
You mentioned the use of bash, which is capable of serving as a generator.
nics=( /sys/class/net/nic* )
( IFS=,; printf 'define nics = { %s }\n' "${nics[*]##*/}" ) > /etc/nftables.d/include-me.nft
>
> 2. If there is only one device (e.g. "nic7"), the syntax requires:
>
> device "nic7" # not 'devices' and no '='
It does not.
# nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
# nft list ruleset
table netdev t {
chain c {
type filter hook ingress device "enp1s0" priority -500; policy accept;
}
}
Perhaps you need to upgrade nft.
>
> Trying something like devices = "nic7" results in a segmentation fault.
Can you provide a minimal ruleset that reproduces the segfault?
--
Kerin Millar
