[Dnsmasq-discuss] [PATCH] Add nftables set support

Chen Zhenge me at markle.one
Sun Sep 26 05:22:54 UTC 2021


On 9/25/21 06:06, Simon Kelley wrote:
> On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote:
>> Hi all,
>>
>>
>> I am trying to switch my firewall setup from iptables to nftables. One
>> of the remaining parts that still doesn't support it is dnsmasq, so I
>> wrote a patch to allow adding IP addresses to nftables sets in addition
>> to ipsets.
>>
>>
>> This patch adds a new option --nftset, which is the same as --ipset
>> except that it adds IP address to a given nftables set. It uses
>> libnftables to perform the operations.
>>
>>
>> I've done some testing on my PC and found no issues so far. The
>> implementation shares most of its code with ipset so it should be easy
>> to review. Please let me know if you have found a bug or need something
>> else.
>>
>>
>> Best,
>>
>> Chen Zhenge
>>
> OK, this got back to the top of the list, for 2.87, as I promised.
>
> One problem is that nft sets can hold either IPv4 or IPv6 addresses, but
> not both, so do we need some sort of syntax to specify if a particular
> set should be for IPv4 or IPv6 addresses? Or have I misunderstood?
>
>
> The syntax requires spaces in the sets to separate the table name from
> the set name, which is a little awkward, especially when giving options
> on the command line. If added code to allow # to be used instead, so
>
> --nftset=/example.com/table#setname
>
> Cheers,
>
> Simon.
>

An ipset can neither hold both types of addresses. [1] The --ipset 
option achieves supporting both by trying to add all addresses to every 
set, continuing silently if the address type does not match. The current 
behavior of --nftset is the same with that.


Separating by space is indeed inconvenient for command line... I will 
update the syntax later.


[1]: https://ipset.netfilter.org/ipset.man.html#lbAP

---

Chen Zhenge





More information about the Dnsmasq-discuss mailing list