git-history.diyao.me Git - systemd/.git/commit

network: firewall integration with NFT sets

New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for
integrating configuration of dynamic networks into firewall rules with NFT
sets.

/etc/systemd/network/eth.network
```
[DHCPv4]
...
NFTSet=netdev:filter:eth_ipv4_address
```

```
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
        }
        chain eth_ingress {
                type filter hook ingress device "eth0" priority filter; policy drop;
                ip saddr != @eth_ipv4_address drop
                accept
        }
}
```
```
sudo nft list set netdev filter eth_ipv4_address
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
                elements = { 10.0.0.0/24 }
        }
}
```

author	Topi Miettinen <toiwoton@gmail.com>
	Sun, 22 May 2022 11:09:06 +0000 (14:09 +0300)
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>
	Wed, 8 Jun 2022 16:12:25 +0000 (16:12 +0000)
commit	ab51fd9dbdc59f9a37acd8acaea3e9088d092bba
tree	82dbd77f4def265280ea0bb5463cd105f6cd3fcb	tree \| snapshot
parent	e8f1b50f271f5e28b99182c56eb1b8c704456c34	commit \| diff

man/systemd.network.xml		diff \| blob \| history
src/basic/parse-util.c		diff \| blob \| history
src/basic/parse-util.h		diff \| blob \| history
src/network/networkd-address.c		diff \| blob \| history
src/network/networkd-address.h		diff \| blob \| history
src/network/networkd-network-gperf.gperf		diff \| blob \| history
src/network/networkd-network.c		diff \| blob \| history
src/network/networkd-network.h		diff \| blob \| history
src/shared/firewall-util-nft.c		diff \| blob \| history
src/shared/firewall-util.h		diff \| blob \| history
src/test/meson.build		diff \| blob \| history
src/test/test-nft-set.c	[new file with mode: 0644]	blob
test/fuzz/fuzz-network-parser/directives		diff \| blob \| history