[Bug 1504] New: Feature request: Negated set elements in interval sets, as with ipset nomatch
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Feb 18 03:53:44 CET 2021
https://bugzilla.netfilter.org/show_bug.cgi?id=1504
Bug ID: 1504
Summary: Feature request: Negated set elements in interval
sets, as with ipset nomatch
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: fmyhr at fhmtech.com
It would be useful to be able to add negated elements (those that are
explicitly excluded from the set) to interval sets, as with the nomatch keyword
using ipset.
For example, I have an interval set 'harsh' of ipv4 address blocks that get
filtered more severely than most. But there are a few hosts within some of the
elements that I want to subject to my normal policy instead. I do this now by
creating a second set 'harsh-' for the exceptions and using a rule like
ip saddr @harsh ip saddr != @harsh- jump harsh_chain
If nftables had negated elements then I could eliminate the harsh- set and the
2nd expression in the above rule.
Even though this change may not appear to be a major benefit as far as nftables
itself is concerned, it would make maintaining such a 'harsh' (or similar) set
much easier. For now I maintain such lists as a single 'base list' in my own
syntax (using ! for negated elements), and use scripts to translate this base
list into 'positive' and 'negative' nft sets, and to transform nft expressions
using base sets (with my custom '~' operator) into the expression pair in the
above example. This works but is slow and clunky in addition to using the
non-standard syntax.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210218/a41e2a75/attachment.html>
More information about the netfilter-buglog
mailing list