Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
6.4. Using sets in nftables commands
The
nftables framework natively supports sets. You can use sets, for example, if a rule should match multiple IP addresses, port numbers, interfaces, or any other match criteria.
6.4.1. Using anonymous sets in nftables
Link kopierenLink in die Zwischenablage kopiert!
An anonymous set contain comma-separated values enclosed in curly brackets, such as
{ 22, 80, 443 }, that you use directly in a rule. You can also use anonymous sets also for IP addresses or any other match criteria.
The drawback of anonymous sets is that if you want to change the set, you must replace the rule. For a dynamic solution, use named sets as described in Section 6.4.2, “Using named sets in nftables”.
Prerequisites
- The example_chain chain and the example_table table in the
inetfamily exists.
Procedure 6.13. Using anonymous sets in nftables
- For example, to add a rule to example_chain in example_table that allows incoming traffic to port
22,80, and443:nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } accept# nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } acceptCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Optionally, display all chains and their rules in example_table:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.4.2. Using named sets in nftables
Link kopierenLink in die Zwischenablage kopiert!
The
nftables framework supports mutable named sets. A named set is a list or range of elements that you can use in multiple rules within a table. Another benefit over anonymous sets is that you can update a named set without replacing the rules that use the set.
When you create a named set, you must specify the type of elements the set contains. You can set the following types:
ipv4_addrfor a set that contains IPv4 addresses or ranges, such as192.0.2.1or192.0.2.0/24.ipv6_addrfor a set that containsIPv6addresses or ranges, such as2001:db8:1::1or2001:db8:1::1/64.ether_addrfor a set that contains a list of media access control (MAC) addresses, such as52:54:00:6b:66:42.inet_protofor a set that contains a list of Internet protocol types, such astcp.inet_servicefor a set that contains a list of Internet services, such asssh.markfor a set that contains a list of packet marks. Packet marks can be any positive 32-bit integer value (0to2147483647).
Prerequisites
- The example_chain chain and the example_table table exists.
Procedure 6.14. Using named sets in nftables
Create an empty set. The following examples create a set for
IPv4addresses:- To create a set that can store multiple individual
IPv4addresses:nft add set inet example_table example_set { type ipv4_addr \; }# nft add set inet example_table example_set { type ipv4_addr \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To create a set that can store
IPv4address ranges:nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }# nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Important
To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash.- Optionally, create rules that use the set. For example, the following command adds a rule to the example_chain in the example_table that will drop all packets from
IPv4addresses in example_set.nft add rule inet example_table example_chain ip saddr @example_set drop
# nft add rule inet example_table example_chain ip saddr @example_set dropCopy to Clipboard Copied! Toggle word wrap Toggle overflow Because example_set is still empty, the rule has currently no effect. Add IPv4 addresses to example_set:
- If you create a set that stores individual
IPv4addresses, enter:nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }# nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If you create a set that stores
IPv4ranges, enter:nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }# nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }Copy to Clipboard Copied! Toggle word wrap Toggle overflow
When you specify an IP address range, you can alternatively use the Classless Inter-Domain Routing (CIDR) notation, such as192.0.2.0/24in the above example.
6.4.3. Related information
Link kopierenLink in die Zwischenablage kopiert!
For further details about sets, see the
Sets section in the nft(8) man page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}