<div dir="ltr">  Hi,<div><br></div><div>  I'm using the "<span class="" id=":1rg.1" tabindex="-1">ipset</span>" feature of <span class="" id=":1rg.2" tabindex="-1">dnsmasq</span> with <span class="" id=":1rg.3" tabindex="-1">iptables</span> and it's working perfectly.</div><div><br></div><div>  The think is ... now I need to change my firewall to <span class="" id=":1rg.4" tabindex="-1">nftables</span> and I just found that <span class="" id=":1rg.5" tabindex="-1">nftables</span> is not able to access an "external <span class="" id=":1rg.6" tabindex="-1">ipset</span> set". The <span class="" id=":1rg.7" tabindex="-1">nftables</span> has is own kind of "internal <span class="" id=":1rg.8" tabindex="-1">ipset</span> set of rules".</div><div><br></div><div>  I know that <span class="" id=":1rg.9" tabindex="-1">dnsmasq</span> uses an <span class="" id=":1rg.10" tabindex="-1">netlink</span> socket to insert <span class="" id=":1rg.11" tabindex="-1">ipset</span> rules inside the <span class="" id=":1rg.12" tabindex="-1">linux</span> kernel <span class="" id=":1rg.13" tabindex="-1">netfilter</span> subsystem.</div><div><br></div><div>  So I was wandering if it is so complicated to use that same <span class="" id=":1rg.14" tabindex="-1">netlink</span> socket to include "<span class="" id=":1rg.15" tabindex="-1">dnsmasq</span> <span class="" id=":1rg.16" tabindex="-1">ipset</span> rules" directly in the "<span class="" id=":1rg.17" tabindex="-1">nftables</span> rule set" instead of in an "external <span class="" id=":1rg.18" tabindex="-1">ipset</span> set".</div><div><br></div><div>  Some think like this:  <span class="" id=":1rg.19" tabindex="-1">nft</span> add element filter <span class="" id=":1rg.20" tabindex="-1">ip</span>_<span class="" id=":1rg.21" tabindex="-1">writelist</span> { some_<span class="" id=":1rg.22" tabindex="-1">ip</span>_address }</div><div><br></div><div>  Of course the "<span class="" id=":1rg.23" tabindex="-1">nftable</span> <span class="" id=":1rg.24" tabindex="-1">ipset</span> rule" must already be created. Just like an external <span class="" id=":1rg.25" tabindex="-1">ipset</span> rule.</div><div>  </div><div>  Would it be a nice feature since <span class="" id=":1rg.26" tabindex="-1">nftables</span> seems to be far from supporting an external <span class="" id=":1rg.27" tabindex="-1">ipset</span> rule?</div><div><br></div><div>  Thanks ...<br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span class="" id=":1rg.28" tabindex="-1">Ronaldo</span> <span class="" id=":1rg.29" tabindex="-1">Afonso</span><br><div>11 9 5252 0484</div><div><a href="http://www.ronaldoafonso.com.br" target="_blank">www.<span class="" id=":1rg.30" tabindex="-1">ronaldoafonso</span>.com.<span class="" id=":1rg.31" tabindex="-1">br</span></a></div></div></div>
</div></div>