Lynx
1
With:
map rules_proto_dport {
type inet_proto . inet_service : verdict
elements = {
tcp . 53 : goto dscp_set_voice, # DNS
udp . 53 : goto dscp_set_voice, # DNS
tcp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 123 : goto dscp_set_voice # NTP
}
}
Is it possible to leverage a variable for the final elements portion that was previously defined?
So something along the lines of:
map rules_proto_dport {
type inet_proto . inet_service : verdict
$elements_variable
}
#/etc/config/firewall
config include
option enabled 1
option type 'script'
option path '/etc/vmap'
option fw4_compatible 1
#/etc/vmap
protocol=udp
port=53
nft flush map inet fw4 rules_proto_dport 2>/dev/null
nft add map inet fw4 rules_proto_dport { type inet_proto . inet_service : verdict\; }
nft add element inet fw4 rules_proto_dport { $protocol . $port : goto dscp_set_voice }
Lynx
3
Thanks, but I'm really just looking to fit this into a file that I can load in a script with nft -f. Is there no way to have this portion:
elements = {
tcp . 53 : goto dscp_set_voice, # DNS
udp . 53 : goto dscp_set_voice, # DNS
tcp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 123 : goto dscp_set_voice # NTP
}
made an nftables variable definition like I already do for other things like:
# local interfaces
define IFACE_NAMES = {
br-lan,
br-guest
}
UPDATE: looks like this may work:
define VAR = {
tcp . 53 : goto dscp_set_voice, # DNS
udp . 53 : goto dscp_set_voice, # DNS
tcp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 123 : goto dscp_set_voice # NTP
}
map rules_proto_dport {
type inet_proto . inet_service : verdict
elements = $VAR
}
2 Likes
system
Closed
4
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.