Hi!
I have a question regarding migration from ipset to nftables. I have
plenty of sets of this kind, containing tcp/udp/icmp:
ipset create MYSET hash:ip,port family inet hashsize 1024 maxelem 65536
ipset add MYSET 172.18.1.11,udp:137
ipset add MYSET 172.18.1.11,udp:138
ipset add MYSET 172.18.1.11,tcp:139
ipset add MYSET 172.18.1.11,tcp:445
ipset add MYSET 172.18.1.11,icmp:echo-request
and a firewall rule for it:
iptables -A FORWARD -s 10.1.20.150/32 -m set --match-set MYSET dst,dst -j ACCEPT
When I translate my set to nftables i get a set like this:
add set inet global MYSET { type ipv4_addr . inet_proto .
inet_service; size 65536; }
add element inet global MYSET { 172.18.1.11 . udp . 137 }
add element inet global MYSET { 172.18.1.11 . udp . 138 }
add element inet global MYSET { 172.18.1.11 . tcp . 139 }
add element inet global MYSET { 172.18.1.11 . tcp . 445 }
add element inet global MYSET { 172.18.1.11 . icmp . 2048 }
However, I can't use it in nft rule because it requires to select
protocol (tcp/udp) when selecting dport:
ip saddr . meta l4proto . tcp dport @MYSET accept
Is there a way to translate and use this kind of sets to nftables or
do i need to create three separate rules (for tcp, udp and icmp
respectively)?
Also another question is, is there some kind of list:set set type in
nftables? So i could make a set of sets and use it in the ruleset as I
could with iptables+ipset?
Thanks in advance.
Best regards,
Alex
