On Sun, 26 Sep 2021 13:22:54 +0800 Chen Zhenge via Dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk> wrote:
> > On 9/25/21 06:06, Simon Kelley wrote: > > On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote: > >> Hi all, > >> > >> > >> I am trying to switch my firewall setup from iptables to nftables. One > >> of the remaining parts that still doesn't support it is dnsmasq, so I > >> wrote a patch to allow adding IP addresses to nftables sets in addition > >> to ipsets. > >> > >> > >> This patch adds a new option --nftset, which is the same as --ipset > >> except that it adds IP address to a given nftables set. It uses > >> libnftables to perform the operations. > >> > >> > >> I've done some testing on my PC and found no issues so far. The > >> implementation shares most of its code with ipset so it should be easy > >> to review. Please let me know if you have found a bug or need something > >> else. > >> > >> > >> Best, > >> > >> Chen Zhenge > >> > > OK, this got back to the top of the list, for 2.87, as I promised. > > > > One problem is that nft sets can hold either IPv4 or IPv6 addresses, but > > not both, so do we need some sort of syntax to specify if a particular > > set should be for IPv4 or IPv6 addresses? Or have I misunderstood? > > > > > > The syntax requires spaces in the sets to separate the table name from > > the set name, which is a little awkward, especially when giving options > > on the command line. If added code to allow # to be used instead, so > > > > --nftset=/example.com/table#setname > > > > Cheers, > > > > Simon. > > > > An ipset can neither hold both types of addresses. [1] The --ipset > option achieves supporting both by trying to add all addresses to every > set, continuing silently if the address type does not match. The current > behavior of --nftset is the same with that. > > > Separating by space is indeed inconvenient for command line... I will > update the syntax later. Don't forget that, if this is used on the command line, quotes or a '\' escape must be used; otherwise, the shell will interpret the '#' as the start of a comment. N _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
