Hello @jow at al,
So before the transition to nftables, you could create firewall objects in PROCD to create/target ipsets, like this, with the transition I have the following questions:
- Does fw4 still support ipset objects in PROCD? Does it require iptables-legacy then? Any changes to the syntax of the firewall objects?
- What's the syntax for creation of an nft set and targeting the nft set with PROCD firewall objects? Since nft sets can only be created within tables (afaik), how do I create a new
inet table within a firewall object?
No. UCI declared "ipsets" are transparently translated to nft sets.
No changes, but some options are unsupported (but ignored) because they're not applicable to nft sets, such as
The same as before when using
No need for that. uci declared sets will be spawned within the
Thank you for your prompt reply @jow!
I need clarification on a few things please:
- How can I declare type for the set? I've tested and by default it's type ipv4_addr with the flags: interval. I need to create an IPv6 set as well.
- Can I rely on the sets being created in the table
fw4 of type
inet in the future?
PS. I see the reasons for transparent translation of ipset objects into actual nft sets, but the naming is confusing, is there any plan to allow to use
nftset in the place of
ipset in uci config/PROCD objects before 22.03 is released? Would the
/usr/share/firewall4/main.uc need to be changed or some other file? I'm confused.
Setting the ipset
6 should create a set with