bugzilla-daemon at netfilter.org
2021-Feb-18 02:53 UTC
[Bug 1504] New: Feature request: Negated set elements in interval sets, as with ipset nomatch
https://bugzilla.netfilter.org/show_bug.cgi?id=1504 Bug ID: 1504 Summary: Feature request: Negated set elements in interval sets, as with ipset nomatch Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: fmyhr at fhmtech.com It would be useful to be able to add negated elements (those that are explicitly excluded from the set) to interval sets, as with the nomatch keyword using ipset. For example, I have an interval set 'harsh' of ipv4 address blocks that get filtered more severely than most. But there are a few hosts within some of the elements that I want to subject to my normal policy instead. I do this now by creating a second set 'harsh-' for the exceptions and using a rule like ip saddr @harsh ip saddr != @harsh- jump harsh_chain If nftables had negated elements then I could eliminate the harsh- set and the 2nd expression in the above rule. Even though this change may not appear to be a major benefit as far as nftables itself is concerned, it would make maintaining such a 'harsh' (or similar) set much easier. For now I maintain such lists as a single 'base list' in my own syntax (using ! for negated elements), and use scripts to translate this base list into 'positive' and 'negative' nft sets, and to transform nft expressions using base sets (with my custom '~' operator) into the expression pair in the above example. This works but is slow and clunky in addition to using the non-standard syntax. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210218/a41e2a75/attachment.html>