* Conditional inclusion of parts of nft file?
@ 2022-04-27 10:24 Jesper Dybdal
2022-05-01 16:42 ` Jesper Dybdal
0 siblings, 1 reply; 2+ messages in thread
From: Jesper Dybdal @ 2022-04-27 10:24 UTC (permalink / raw)
To: netfilter
I am beginning to plan my change from iptables to native nft.
My iptables shell script has some conditionals where rules are included
or not depending on environment variables or other conditions that are
known beforehand. Example: whether or not all interfaces, or only some,
are up.
Is this possible with nft? I.e., something like:
define externalinterfaceready = 1
...
if ( externalinterfaceready) {
... add rules depending on the external interface being up
}
And even better if it could query environment variables.
I haven't seen any description of something like this being possible in
a less clumsy way than dynamically building an include file for every
"if" and include them in the ruleset at suitable points.
Have I overlooked something?
Thanks,
Jesper
--
Jesper Dybdal
https://www.dybdal.dk
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Conditional inclusion of parts of nft file?
2022-04-27 10:24 Conditional inclusion of parts of nft file? Jesper Dybdal
@ 2022-05-01 16:42 ` Jesper Dybdal
0 siblings, 0 replies; 2+ messages in thread
From: Jesper Dybdal @ 2022-05-01 16:42 UTC (permalink / raw)
To: netfilter
I wrote the question quoted below some days ago.
There have been no answers, which surprises mu - I would have thought
that just about everybody would want a way to conditionally in- or
exclude rules.
I have now chosen to assume that there is no such possibility in nft,
and I am now writing a simple preprocessor that will solve my problem.
Another and somewhat related thing I miss is empty anonymous sets. If I
have an nft file containing.
define AllowedIps = { 1.2.3.4, 5.6.7.8 }
...
... daddr $AllowedIps accept
then it might happen that some day both ip addresses are no longer
allowed, and I would then expect that when I changed the "define"
statement to
define AllowedIps = { }
then the rule further below would become a NOP. But nft does not accept
an empty set.
Regards,
Jesper
On 2022-04-27 12:24, Jesper Dybdal wrote:
> I am beginning to plan my change from iptables to native nft.
>
> My iptables shell script has some conditionals where rules are
> included or not depending on environment variables or other conditions
> that are known beforehand. Example: whether or not all interfaces, or
> only some, are up.
>
> Is this possible with nft? I.e., something like:
>
> define externalinterfaceready = 1
> ...
> if ( externalinterfaceready) {
> ... add rules depending on the external interface being up
> }
>
> And even better if it could query environment variables.
>
> I haven't seen any description of something like this being possible
> in a less clumsy way than dynamically building an include file for
> every "if" and include them in the ruleset at suitable points.
>
> Have I overlooked something?
>
> Thanks,
> Jesper
>
--
Jesper Dybdal
https://www.dybdal.dk
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-01 16:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-27 10:24 Conditional inclusion of parts of nft file? Jesper Dybdal
2022-05-01 16:42 ` Jesper Dybdal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.