On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote: > Hi all, > > > I am trying to switch my firewall setup from iptables to nftables. One > of the remaining parts that still doesn't support it is dnsmasq, so I > wrote a patch to allow adding IP addresses to nftables sets in addition > to ipsets. > > > This patch adds a new option --nftset, which is the same as --ipset > except that it adds IP address to a given nftables set. It uses > libnftables to perform the operations. > > > I've done some testing on my PC and found no issues so far. The > implementation shares most of its code with ipset so it should be easy > to review. Please let me know if you have found a bug or need something > else. > > > Best, > > Chen Zhenge >
OK, this got back to the top of the list, for 2.87, as I promised. One problem is that nft sets can hold either IPv4 or IPv6 addresses, but not both, so do we need some sort of syntax to specify if a particular set should be for IPv4 or IPv6 addresses? Or have I misunderstood? The syntax requires spaces in the sets to separate the table name from the set name, which is a little awkward, especially when giving options on the command line. If added code to allow # to be used instead, so --nftset=/example.com/table#setname Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
