On 9/25/21 06:06, Simon Kelley wrote:
On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote:
Hi all,
I am trying to switch my firewall setup from iptables to nftables. One
of the remaining parts that still doesn't support it is dnsmasq, so I
wrote a patch to allow adding IP addresses to nftables sets in addition
to ipsets.
This patch adds a new option --nftset, which is the same as --ipset
except that it adds IP address to a given nftables set. It uses
libnftables to perform the operations.
I've done some testing on my PC and found no issues so far. The
implementation shares most of its code with ipset so it should be easy
to review. Please let me know if you have found a bug or need something
else.
Best,
Chen Zhenge
OK, this got back to the top of the list, for 2.87, as I promised.
One problem is that nft sets can hold either IPv4 or IPv6 addresses, but
not both, so do we need some sort of syntax to specify if a particular
set should be for IPv4 or IPv6 addresses? Or have I misunderstood?
The syntax requires spaces in the sets to separate the table name from
the set name, which is a little awkward, especially when giving options
on the command line. If added code to allow # to be used instead, so
--nftset=/example.com/table#setname
Cheers,
Simon.
An ipset can neither hold both types of addresses. [1] The --ipset
option achieves supporting both by trying to add all addresses to every
set, continuing silently if the address type does not match. The current
behavior of --nftset is the same with that.
Separating by space is indeed inconvenient for command line... I will
update the syntax later.
[1]: https://ipset.netfilter.org/ipset.man.html#lbAP
---
Chen Zhenge
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
