[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: mixed address family sets and rules in nft
From:       "Alov, Igor" <alov.igor () gmail ! com>
Date:       2022-06-06 8:59:32
Message-ID: 11887a4a-7a1d-a2a6-79cf-7c61738c2de0 () gmail ! com
[Download RAW message or body]

On 04.06.2022 17:34, Kamil Jońca wrote:
> --8<---------------cut here---------------start------------->8---
> tcp dport ssh ip saddr $host_6 accept;
> --8<---------------cut here---------------end--------------->8---
>

Bear in mind, you should use ip6 whenever  you want filtering V6 addresses
tcp dport ssh ip6 saddr $host_6 accept;

On 04.06.2022 17:34, Kamil Jońca wrote:
> Marc Haber <mh+netfilter@zugschlus.de> writes:
>
>> Hi,
>>
>> I am somewhat a newbie to nft, but I have been doing Linux packet
>> filtering for way more than 20 years, starting with ipfwadm back in 1997
>> or 1998.
>>
>> In nft, I would like to be able to write something along the lines of
>>
>> |@@def $host = (85.214.160.151 2a01:238:42bc:a101::2:100)
>> |
>> |chain INPUT saddr $host proto tcp dport 22 ACCEPT
> I think that strictly speaking this (=mixing ipv6 and ipv4 in one
> set[1]) is not possible.
>
> but there is no problem separately (as you probably know this)
>
> --8<---------------cut here---------------start------------->8---
> define host_4 = { 85.214.160.151 , .. and other hosts.. }
> define host_6 = { 2a01:238:42bc:a101::2:100 , and other hosts }
>
> tcp dport ssh ip saddr $host_4 accept;
> tcp dport ssh ip saddr $host_6 accept;
> --8<---------------cut here---------------end--------------->8---
>
> When you talking about "hundreds" of addresses - you probably will need
> to use some kind of script to split ipv6/ipv4 addresses.
> Or use named set and manipulate them separately on the fly.
>
>
> KJ
>
> [1] - i know that ipv4 space is mapped into some subset of ipv6
>
>
>

-- 
With Best Regards
Alov, igor

[prev in list] [next in list] [prev in thread] [next in thread]