[Dnsmasq-discuss] [PATCH] Add nftables set support

Neal P. Murphy neal.p.murphy at alum.wpi.edu
Mon Sep 27 01:27:23 UTC 2021 

On Sun, 26 Sep 2021 13:22:54 +0800
Chen Zhenge via Dnsmasq-discuss <dnsmasq-discuss at lists.thekelleys.org.uk> wrote:

> 
> On 9/25/21 06:06, Simon Kelley wrote:
> > On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote:
> >> Hi all,
> >>
> >>
> >> I am trying to switch my firewall setup from iptables to nftables. One
> >> of the remaining parts that still doesn't support it is dnsmasq, so I
> >> wrote a patch to allow adding IP addresses to nftables sets in addition
> >> to ipsets.
> >>
> >>
> >> This patch adds a new option --nftset, which is the same as --ipset
> >> except that it adds IP address to a given nftables set. It uses
> >> libnftables to perform the operations.
> >>
> >>
> >> I've done some testing on my PC and found no issues so far. The
> >> implementation shares most of its code with ipset so it should be easy
> >> to review. Please let me know if you have found a bug or need something
> >> else.
> >>
> >>
> >> Best,
> >>
> >> Chen Zhenge
> >>
> > OK, this got back to the top of the list, for 2.87, as I promised.
> >
> > One problem is that nft sets can hold either IPv4 or IPv6 addresses, but
> > not both, so do we need some sort of syntax to specify if a particular
> > set should be for IPv4 or IPv6 addresses? Or have I misunderstood?
> >
> >
> > The syntax requires spaces in the sets to separate the table name from
> > the set name, which is a little awkward, especially when giving options
> > on the command line. If added code to allow # to be used instead, so
> >
> > --nftset=/example.com/table#setname
> >
> > Cheers,
> >
> > Simon.
> >
> 
> An ipset can neither hold both types of addresses. [1] The --ipset 
> option achieves supporting both by trying to add all addresses to every 
> set, continuing silently if the address type does not match. The current 
> behavior of --nftset is the same with that.
> 
> 
> Separating by space is indeed inconvenient for command line... I will 
> update the syntax later.

Don't forget that, if this is used on the command line, quotes or a '\' escape must be used; otherwise, the shell will interpret the '#' as the start of a comment.

N

More information about the Dnsmasq-discuss mailing list