[Bug 1504] New: Feature request: Negated set elements in interval sets, as with ipset nomatch

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Feb 18 03:53:44 CET 2021


            Bug ID: 1504
           Summary: Feature request: Negated set elements in interval
                    sets, as with ipset nomatch
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: fmyhr at fhmtech.com

It would be useful to be able to add negated elements (those that are
explicitly excluded from the set) to interval sets, as with the nomatch keyword
using ipset. 

For example, I have an interval set 'harsh' of ipv4 address blocks that get
filtered more severely than most. But there are a few hosts within some of the
elements that I want to subject to my normal policy instead. I do this now by
creating a second set 'harsh-' for the exceptions and using a rule like

ip saddr @harsh  ip saddr != @harsh-  jump harsh_chain

If nftables had negated elements then I could eliminate the harsh- set and the
2nd expression in the above rule.

Even though this change may not appear to be a major benefit as far as nftables
itself is concerned, it would make maintaining such a 'harsh' (or similar) set
much easier. For now I maintain such lists as a single 'base list' in my own
syntax (using ! for negated elements), and use scripts to translate this base
list into 'positive' and 'negative' nft sets, and to transform nft expressions
using base sets (with my custom '~' operator) into the expression pair in the
above example. This works but is slow and clunky in addition to using the
non-standard syntax.

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210218/a41e2a75/attachment.html>

More information about the netfilter-buglog mailing list