diff options
author | Arturo Borrero Gonzalez <arturo@netfilter.org> | 2018-02-24 22:06:19 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-25 19:50:23 +0100 |
commit | 6c9230e79339ca4fd662855c84529fa92e962ca5 (patch) | |
tree | 9d34224c6e5a8799edde4a5a7fa20517b7ee630f /files/examples/sets_and_maps.nft | |
parent | 4d6ad0f310d6cc3a1d776d32d9d7d678017c6dd7 (diff) |
nftables: rearrange files and examples
Concatenate all family/hook examples into a single one by means of includes.
Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.
While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'files/examples/sets_and_maps.nft')
-rwxr-xr-x | files/examples/sets_and_maps.nft | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft new file mode 100755 index 00000000..f5157b3b --- /dev/null +++ b/files/examples/sets_and_maps.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is meant to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +# symbolic anonymous set definition built from symbolic singleton definitions +define int_if1 = eth0 +define int_if2 = eth1 +define int_ifs = { $int_if1, $int_if2 } + +define ext_if1 = eth2 +define ext_if2 = eth3 +define ext_ifs = { $ext_if1, $ext_if2 } + +# recursive symbolic anonymous set definition +define local_ifs = { $int_ifs, $ext_ifs } + +# symbolic anonymous set definition +define tcp_ports = { ssh, domain, https, 123-125 } + +delete table filter +table filter { + # named set of type iface_index + set local_ifs { + type iface_index + } + + # named map of type iface_index : ipv4_addr + map nat_map { + type iface_index : ipv4_addr + } + + map jump_map { + type iface_index : verdict + } + + chain input_1 { counter; } + chain input_2 { counter; } + chain input { + type filter hook input priority 0 + + # symbolic anonymous sets + meta iif $local_ifs tcp dport $tcp_ports counter + + # literal anonymous set + meta iif { eth0, eth1 } counter + + meta iif @local_ifs counter + meta iif vmap @jump_map + + #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } + } +} |