[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    nftables: Define variable with IPv6 suffix match in nft script
From:       Fred F <frederik.vogelsang () gmail ! com>
Date:       2020-09-23 19:19:52
Message-ID: CAJqja9fhYzAQ-cYcP_HnB5Mmd2UKZgvL8+DG0nT2GRdhWB9N_g () mail ! gmail ! com
[Download RAW message or body]

Hi,

I am having issues defining a variable which contains an IPv6 host
(actually a suffix match). This is the rule in question which is
working:

chain forward {
  # relevant rule:
  iifname "wan" oifname "lan" ip6 daddr & ::ffff:ffff:ffff:ffff ==
::192:168:1:1 tcp dport 443 accept
}

Now I'd like to store the suffix match in a variable, as I need it in
various places, like this:

define ip6_testserver = "& ::ffff:ffff:ffff:ffff == ::192:168:1:1"

chain forward {
  # relevant rule:
  iifname "wan" oifname "lan" ip6 daddr $ip6_testserver tcp dport 443 accept
}

Unfortunately this is not working. It seems like the value of
"ip6_testserver" is interpreted as a hostname when written in quotes.
Without the quotes I am getting a syntax error. Any ideas how I can
fix this? Are there any other notations for the suffix match? Back in
the old ip6tables days it was written like
::192:168:1:1/::ffff:ffff:ffff:ffff.


Best regards,
Frederik
[prev in list] [next in list] [prev in thread] [next in thread]