On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
> Rather, "define nics".
Yes, sorry.
> You mentioned the use of bash, which is capable of serving as a generator.
Thanks, I know. The thing is that nics can be added/removed at any point in time, not just at startup, which makes it more complicated.
> It does not.
>
> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
This gives segfault here.
> Perhaps you need to upgrade nft.
Here:
# nft -V
nftables v1.0.6 (Lester Gooch #5)
cli: editline
json: yes
minigmp: no
libxtables: yes
On Debian 12 stable.
> Can you provide a minimal ruleset that reproduces the segfault?
#!/usr/sbin/nft -f
flush ruleset
define nics = { "eth0" }
table netdev filter
delete table netdev filter
table netdev filter {
chain ingress_internal {
type filter hook ingress devices = $nics priority -500
}
}
