Ce contenu n'est pas disponible dans la langue sélectionnée.
6.4. Using sets in nftables commands
nftables
framework natively supports sets. You can use sets, for example, if a rule should match multiple IP addresses, port numbers, interfaces, or any other match criteria.
6.4.1. Using anonymous sets in nftables Copier lienLien copié sur presse-papiers!
{ 22, 80, 443 }
, that you use directly in a rule. You can also use anonymous sets also for IP addresses or any other match criteria.
Prerequisites
- The example_chain chain and the example_table table in the
inet
family exists.
Procedure 6.13. Using anonymous sets in nftables
- For example, to add a rule to example_chain in example_table that allows incoming traffic to port
22
,80
, and443
:nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } accept
# nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } accept
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Optionally, display all chains and their rules in example_table:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.4.2. Using named sets in nftables Copier lienLien copié sur presse-papiers!
nftables
framework supports mutable named sets. A named set is a list or range of elements that you can use in multiple rules within a table. Another benefit over anonymous sets is that you can update a named set without replacing the rules that use the set.
ipv4_addr
for a set that contains IPv4 addresses or ranges, such as192.0.2.1
or192.0.2.0/24
.ipv6_addr
for a set that containsIPv6
addresses or ranges, such as2001:db8:1::1
or2001:db8:1::1/64
.ether_addr
for a set that contains a list of media access control (MAC
) addresses, such as52:54:00:6b:66:42
.inet_proto
for a set that contains a list of Internet protocol types, such astcp
.inet_service
for a set that contains a list of Internet services, such asssh
.mark
for a set that contains a list of packet marks. Packet marks can be any positive 32-bit integer value (0
to2147483647
).
Prerequisites
- The example_chain chain and the example_table table exists.
Procedure 6.14. Using named sets in nftables
Create an empty set. The following examples create a set for
IPv4
addresses:- To create a set that can store multiple individual
IPv4
addresses:nft add set inet example_table example_set { type ipv4_addr \; }
# nft add set inet example_table example_set { type ipv4_addr \; }
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To create a set that can store
IPv4
address ranges:nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }
# nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Important
To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash.- Optionally, create rules that use the set. For example, the following command adds a rule to the example_chain in the example_table that will drop all packets from
IPv4
addresses in example_set.nft add rule inet example_table example_chain ip saddr @example_set drop
# nft add rule inet example_table example_chain ip saddr @example_set drop
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Because example_set is still empty, the rule has currently no effect. Add IPv4 addresses to example_set:
- If you create a set that stores individual
IPv4
addresses, enter:nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }
# nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If you create a set that stores
IPv4
ranges, enter:nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }
# nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
When you specify an IP address range, you can alternatively use the Classless Inter-Domain Routing (CIDR) notation, such as192.0.2.0/24
in the above example.
6.4.3. Related information Copier lienLien copié sur presse-papiers!
Sets
section in the nft(8)
man page.