3

For a netdev filter table's ingress hook I'd like to store the device name in a variable, but I somehow can't figure out the correct syntax.

It works as follows:

table netdev filter { chain ingress { type filter hook ingress device ens33 priority -500; # ... } }

... but I would like to use a variable in place of ens33 on the line:

type filter hook ingress device ens33 priority -500;

When I use the following, I get an error:

define extif = ens33 table netdev filter { chain ingress { type filter hook ingress device $extif priority -500; # ... } }

The error reads:

Error: syntax error, unexpected '$', expecting string or quoted string or string with a trailing asterisk

Now I also tried ens* hoping for it to be similar to ens+ in iptables, but then the error changes to the one I also encounter when giving an invalid device name:

Error: Could not process rule: No such file or directory chain ingress { ^^^^^^^

Similarly quoting didn't work for me. The documentation also didn't provide the clue that could make it work.

How can I place the name (or names) of my external interfaces in a variable in order to use them as parameter for device on the type filter hook ... stanza?

The kernel is 5.8 and the system is Ubuntu 20.04. nftables reports as v0.9.3 (Topsy).

Improve this question

1 Answer 1

Reset to default
3

Alas, this feature was added with this commit made available only since nftables 0.9.7. Your ruleset works as-is when tested with nftables 0.9.8.

src: allow to use variables in flowtable and chain devices

This patch adds support for using variables for devices in the chain and flowtable definitions, eg.

define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } }

Signed-off-by: Pablo Neira Ayuso [email protected]

A netdev family chain registers to one or multiple (since kernel 5.5 and nftables 0.9.3) interface(s), which must all exist before the chain definition. A wildcard can't be used.

The multidevice chain syntax is slightly different:

table netdev filter { chain ingress { type filter hook ingress devices = { ens33, ens34 } priority -500; # ... } }

Or with nftables >= 0.9.7:

define extifs = { ens33, ens34 } table netdev filter { chain ingress { type filter hook ingress devices = $extifs priority -500; # ... } }

Having only one interface (eg: { ens33 }) is displayed back with the previous existing syntax.

Improve this answer
2
  • While the Ubuntu equivalent of a FrankenDebian is to consider, using only three packages from Ubuntu 21.04: libnftnl11, libnftables1, nftables on Ubuntu 20.04 provides nftables 0.9.7 and gets last example working fine in a focal container. Commented May 2, 2021 at 1:55
  • Actually I'd like to avoid anything like a FrankenDebian. Commented May 11, 2021 at 21:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.