[Dnsmasq-discuss] Using nftables internal "ipset" rule
Simon Kelley
simon at thekelleys.org.uk
Tue May 3 18:07:55 BST 2016
I think the way to go with this may be to use the libnftnl library.
http://netfilter.org/projects/libnftnl/index.html
Unfortunately, there doesn't appear to be any documentation for that (or
the underlying netlink API).
I guess that the answer to your question is that it would be a good idea
to include nftables support, but it's not trivial to do, and I don't
have the expertise or time to do it at the moment.
If someone knows how to do this, and makes a patch, I'd certainly accept it.
Cheers,
Simon.
On 28/04/16 22:29, Ronaldo Afonso wrote:
> Hi,
>
> I'm using the "ipset" feature of dnsmasq with iptables and it's working
> perfectly.
>
> The think is ... now I need to change my firewall to nftables and I just
> found that nftables is not able to access an "external ipset set". The
> nftables has is own kind of "internal ipset set of rules".
>
> I know that dnsmasq uses an netlink socket to insert ipset rules inside
> the linux kernel netfilter subsystem.
>
> So I was wandering if it is so complicated to use that same netlink
> socket to include "dnsmasq ipset rules" directly in the "nftables rule set"
> instead of in an "external ipset set".
>
> Some think like this: nft add element filter ip_writelist { some_ip_address
> }
>
> Of course the "nftable ipset rule" must already be created. Just like an
> external ipset rule.
>
> Would it be a nice feature since nftables seems to be far from supporting
> an external ipset rule?
>
> Thanks ...
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list