Can I match a set negatively in nftables?

Question

Let's say I want to apply a rule to ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }, but I want to exclude two more specific IPv4 addresses from that. How do I do that?

I was hoping for some more elegant way of doing this:

ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ ip daddr != 10.0.1.2 \ ip daddr != 10.0.2.3

as explained in the nft manpage for negation of addresses or ranges, but it does not show a way to do that with sets.

If someone comes across this - there is a great in-depth documentation for the 'libnftables' library: mankier.com/5/libnftables-json#Statements-Match \- AnsibleGuy — ansibleguy
– ansibleguy, Commented Jan 8, 2023 at 16:11

gertvdijk · Accepted Answer · 2019-05-05 20:34:46Z

It appears that negations of sets are working as expected (undocumented):

ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ ip daddr != { 10.0.1.2, 10.0.2.3 }

Stack Exchange Network

Can I match a set negatively in nftables?

1 Answer 1

You must log in to answer this question.

Hot Network Questions

Can I match a set negatively in nftables?

1 Answer 1

You must log in to answer this question.

Related

Hot Network Questions