[Dnsmasq-discuss] [PATCH] Add nftables set support
Simon Kelley
simon at thekelleys.org.uk
Fri Sep 24 22:06:51 UTC 2021
On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote:
> Hi all,
>
>
> I am trying to switch my firewall setup from iptables to nftables. One
> of the remaining parts that still doesn't support it is dnsmasq, so I
> wrote a patch to allow adding IP addresses to nftables sets in addition
> to ipsets.
>
>
> This patch adds a new option --nftset, which is the same as --ipset
> except that it adds IP address to a given nftables set. It uses
> libnftables to perform the operations.
>
>
> I've done some testing on my PC and found no issues so far. The
> implementation shares most of its code with ipset so it should be easy
> to review. Please let me know if you have found a bug or need something
> else.
>
>
> Best,
>
> Chen Zhenge
>
OK, this got back to the top of the list, for 2.87, as I promised.
One problem is that nft sets can hold either IPv4 or IPv6 addresses, but
not both, so do we need some sort of syntax to specify if a particular
set should be for IPv4 or IPv6 addresses? Or have I misunderstood?
The syntax requires spaces in the sets to separate the table name from
the set name, which is a little awkward, especially when giving options
on the command line. If added code to allow # to be used instead, so
--nftset=/example.com/table#setname
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list