[nftables] possible to utilise sets across different tables?

[nftables] possible to utilise sets across different tables?

[ѽ҉ᶬḳ℠]

Would it be possible to generate a set in 'table inet' based on 'saddr  
ct state invalid drop' and then utilise the same set in a 'table netdev 
rule', for offending saddr getting blocked early?

Re: [nftables] possible to utilise sets across different tables?

[ѽ҉ᶬḳ℠]

On 23/09/2020 13:43, ѽ҉ᶬḳ℠ wrote:
> Would it be possible to generate a set in 'table inet' based on 
> 'saddr  ct state invalid drop' and then utilise the same set in a 
> 'table netdev rule', for offending saddr getting blocked early?
>

Tried some variations but none worked out and thus it seems deployment 
of sets across families is not supported. Though I reckon it would be a 
beneficial feature:

* mitigate repetition of same sets that are applicable for different 
families
* gather set data in one family, e.g offenders' saddr from inet, and 
deploy such set in a rule in a different family, e.g. in netdev for 
blocking such offenders early on

Re: [nftables] possible to utilise sets across different tables?

[Pablo Neira Ayuso]

On Fri, Sep 25, 2020 at 09:52:00AM +0000, ѽ҉ᶬḳ℠ wrote:
> On 23/09/2020 13:43, ѽ҉ᶬḳ℠ wrote:
> > Would it be possible to generate a set in 'table inet' based on 'saddr 
> > ct state invalid drop' and then utilise the same set in a 'table netdev
> > rule', for offending saddr getting blocked early?
> > 
> 
> Tried some variations but none worked out and thus it seems deployment of
> sets across families is not supported. Though I reckon it would be a
> beneficial feature:
> 
> * mitigate repetition of same sets that are applicable for different
> families
> * gather set data in one family, e.g offenders' saddr from inet, and deploy
> such set in a rule in a different family, e.g. in netdev for blocking such
> offenders early on

This is feasible. I have an incomplete patchset to enable this, I'll
try to scratch some time to finish this.