Questo contenuto non è disponibile nella lingua selezionata.
6.4. Using sets in nftables commands
		The 
nftables framework natively supports sets. You can use sets, for example, if a rule should match multiple IP addresses, port numbers, interfaces, or any other match criteria.
	6.4.1. Using anonymous sets in nftables
Copia collegamentoCollegamento copiato negli appunti!
			An anonymous set contain comma-separated values enclosed in curly brackets, such as 
{ 22, 80, 443 }, that you use directly in a rule. You can also use anonymous sets also for IP addresses or any other match criteria.
		
			The drawback of anonymous sets is that if you want to change the set, you must replace the rule. For a dynamic solution, use named sets as described in Section 6.4.2, “Using named sets in nftables”.
		
Prerequisites
- The example_chain chain and the example_table table in theinetfamily exists.
Procedure 6.13. Using anonymous sets in nftables
- For example, to add a rule to example_chain in example_table that allows incoming traffic to port22,80, and443:nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } accept# nft add rule inet example_table example_chain tcp dport { 22, 80, 443 } acceptCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Optionally, display all chains and their rules in example_table:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
6.4.2. Using named sets in nftables
Copia collegamentoCollegamento copiato negli appunti!
			The 
nftables framework supports mutable named sets. A named set is a list or range of elements that you can use in multiple rules within a table. Another benefit over anonymous sets is that you can update a named set without replacing the rules that use the set.
		
			When you create a named set, you must specify the type of elements the set contains. You can set the following types:
		
- ipv4_addrfor a set that contains IPv4 addresses or ranges, such as- 192.0.2.1or- 192.0.2.0/24.
- ipv6_addrfor a set that contains- IPv6addresses or ranges, such as- 2001:db8:1::1or- 2001:db8:1::1/64.
- ether_addrfor a set that contains a list of media access control (- MAC) addresses, such as- 52:54:00:6b:66:42.
- inet_protofor a set that contains a list of Internet protocol types, such as- tcp.
- inet_servicefor a set that contains a list of Internet services, such as- ssh.
- markfor a set that contains a list of packet marks. Packet marks can be any positive 32-bit integer value (- 0to- 2147483647).
Prerequisites
- The example_chain chain and the example_table table exists.
Procedure 6.14. Using named sets in nftables
- Create an empty set. The following examples create a set for - IPv4addresses:- To create a set that can store multiple individualIPv4addresses:nft add set inet example_table example_set { type ipv4_addr \; }# nft add set inet example_table example_set { type ipv4_addr \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- To create a set that can storeIPv4address ranges:nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }# nft add set inet example_table example_set { type ipv4_addr \; flags interval \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
 - Important To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash.
- Optionally, create rules that use the set. For example, the following command adds a rule to the example_chain in the example_table that will drop all packets fromIPv4addresses in example_set.nft add rule inet example_table example_chain ip saddr @example_set drop # nft add rule inet example_table example_chain ip saddr @example_set dropCopy to Clipboard Copied! Toggle word wrap Toggle overflow Because example_set is still empty, the rule has currently no effect.
- Add IPv4 addresses to example_set: - If you create a set that stores individualIPv4addresses, enter:nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }# nft add element inet example_table example_set { 192.0.2.1, 192.0.2.2 }Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- If you create a set that storesIPv4ranges, enter:nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }# nft add element inet example_table example_set { 192.0.2.0-192.0.2.255 }Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
 When you specify an IP address range, you can alternatively use the Classless Inter-Domain Routing (CIDR) notation, such as- 192.0.2.0/24in the above example.
6.4.3. Related information
Copia collegamentoCollegamento copiato negli appunti!
			For further details about sets, see the 
Sets section in the nft(8) man page.