* nftables wiki
@ 2016-10-05 16:45 Dave Carlton
2016-10-17 19:38 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Dave Carlton @ 2016-10-05 16:45 UTC (permalink / raw)
To: netfilter
I was going to try an add some content as I discover nftables but see no way to create an account.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nftables wiki
2016-10-05 16:45 nftables wiki Dave Carlton
@ 2016-10-17 19:38 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2016-10-17 19:38 UTC (permalink / raw)
To: Dave Carlton; +Cc: netfilter
On Wed, Oct 05, 2016 at 06:45:31AM -1000, Dave Carlton wrote:
> I was going to try an add some content as I discover nftables but see no way to create an account.
Public reply: Anyone willing to have an account in nftables wiki, send
me a private email indicating username. Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* nftables wiki
@ 2020-03-09 23:09 Frank Myhr
0 siblings, 0 replies; 7+ messages in thread
From: Frank Myhr @ 2020-03-09 23:09 UTC (permalink / raw)
To: netfilter
Hi,
Can I apply to be a registered user of the nftables wiki? I'm just a
neophyte at nftables so would not make major changes. But I can clarify
wording and maybe expand on some areas as I continue learning in the
process of switching my systems from iptables + ipset -> nftables. The
impetus for me has been discovering that Debian Buster is by default
using nftables behind the iptables scene. Reason enough to finally take
the plunge. I imagine others are (or will soon be) in the same
situation. The wiki is already very helpful, but I'd be glad to help
update & improve it.
Thanks,
Frank
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nftables wiki
2017-12-27 18:25 paulo bruck
@ 2017-12-28 10:31 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-28 10:31 UTC (permalink / raw)
To: paulo bruck; +Cc: netfilter
Hi Paulo,
On Wed, Dec 27, 2017 at 04:25:56PM -0200, paulo bruck wrote:
> Hy Guys. Me again 80)
>
> I'm studing nftables I think it would be better IMHO to do a cut and
> paste at link below that talks about Sets
I can create an account for you, so you can edit this yourself.
Let me know and I'll send you the token privately.
Thanks.
> before
> ############################################
> Named sets
>
> You can create the named sets with the following command:
>
> % nft add set filter blackhole { type ipv4_addr\;}
>
> Note that blackhole is the name of the set in this case. The type
> option indicates the data type that this set stores, which is an IPv4
> address in this case. Current maximum name length is 16 characters.
>
> % nft add element filter blackhole { 192.168.3.4 }
> % nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
>
> Then, you can use it from the rule:
>
> % nft add rule ip input ip saddr @blackhole drop
>
> Named sets can be updated anytime, so you can add and delete element from them.
>
> Eric Leblond in his Why you will love nftables article shows a very
> simple example to compare iptables with nftables:
>
> ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
>
> Which can be expressed in nftables with a couple of rules that provide a set:
>
> % nft add rule ip6 filter input tcp dport {telnet, http, https} accept
> % nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
> echo-request, nd-router-advert, nd-neighbor-advert } accept
> ####################################################
>
> after
>
> ######################################################
> Eric Leblond in his Why you will love nftables article shows a very
> simple example to compare iptables with nftables:
>
> ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
>
> Which can be expressed in nftables with a couple of rules that provide a set:
>
> % nft add rule ip6 filter input tcp dport {telnet, http, https} accept
> % nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
> echo-request, nd-router-advert, nd-neighbor-advert } accept
>
>
> Named sets
>
> You can create the named sets with the following command:
>
> % nft add set filter blackhole { type ipv4_addr\;}
>
> Note that blackhole is the name of the set in this case. The type
> option indicates the data type that this set stores, which is an IPv4
> address in this case. Current maximum name length is 16 characters.
>
> % nft add element filter blackhole { 192.168.3.4 }
> % nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
>
> Then, you can use it from the rule:
>
> % nft add rule ip input ip saddr @blackhole drop
>
> Named sets can be updated anytime, so you can add and delete element from them.
>
> #############################################################
>
> best regards
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* nftables wiki
@ 2017-12-27 18:25 paulo bruck
2017-12-28 10:31 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: paulo bruck @ 2017-12-27 18:25 UTC (permalink / raw)
To: netfilter
Hy Guys. Me again 80)
I'm studing nftables I think it would be better IMHO to do a cut and
paste at link below that talks about Sets
before
############################################
Named sets
You can create the named sets with the following command:
% nft add set filter blackhole { type ipv4_addr\;}
Note that blackhole is the name of the set in this case. The type
option indicates the data type that this set stores, which is an IPv4
address in this case. Current maximum name length is 16 characters.
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
Then, you can use it from the rule:
% nft add rule ip input ip saddr @blackhole drop
Named sets can be updated anytime, so you can add and delete element from them.
Eric Leblond in his Why you will love nftables article shows a very
simple example to compare iptables with nftables:
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
Which can be expressed in nftables with a couple of rules that provide a set:
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
echo-request, nd-router-advert, nd-neighbor-advert } accept
####################################################
after
######################################################
Eric Leblond in his Why you will love nftables article shows a very
simple example to compare iptables with nftables:
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
Which can be expressed in nftables with a couple of rules that provide a set:
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
echo-request, nd-router-advert, nd-neighbor-advert } accept
Named sets
You can create the named sets with the following command:
% nft add set filter blackhole { type ipv4_addr\;}
Note that blackhole is the name of the set in this case. The type
option indicates the data type that this set stores, which is an IPv4
address in this case. Current maximum name length is 16 characters.
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
Then, you can use it from the rule:
% nft add rule ip input ip saddr @blackhole drop
Named sets can be updated anytime, so you can add and delete element from them.
#############################################################
best regards
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nftables wiki
2015-09-24 13:20 Richard Melville
@ 2015-09-24 17:57 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-24 17:57 UTC (permalink / raw)
To: Richard Melville; +Cc: netfilter
On Thu, Sep 24, 2015 at 02:20:26PM +0100, Richard Melville wrote:
> Hi
>
> I've noticed a number of typos and general errors on the wiki. Is it
> possible to get write permissions in order to rectify those issues?
Just created an account for you.
^ permalink raw reply [flat|nested] 7+ messages in thread
* nftables wiki
@ 2015-09-24 13:20 Richard Melville
2015-09-24 17:57 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Richard Melville @ 2015-09-24 13:20 UTC (permalink / raw)
To: netfilter
Hi
I've noticed a number of typos and general errors on the wiki. Is it
possible to get write permissions in order to rectify those issues?
--
Richard Melville
Systems Architect
cellularity.co.uk
stellarsystem.wordpress.com
+44 20 33 555 305
+44 7957 836330
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-03-09 23:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-05 16:45 nftables wiki Dave Carlton
2016-10-17 19:38 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2020-03-09 23:09 Frank Myhr
2017-12-27 18:25 paulo bruck
2017-12-28 10:31 ` Pablo Neira Ayuso
2015-09-24 13:20 Richard Melville
2015-09-24 17:57 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.