diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2022-05-22 14:09:06 +0300 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2022-06-08 16:12:25 +0000 |
| commit | ab51fd9dbdc59f9a37acd8acaea3e9088d092bba (patch) | |
| tree | 82dbd77f4def265280ea0bb5463cd105f6cd3fcb /man/systemd.resource-control.xml | |
| parent | e8f1b50f271f5e28b99182c56eb1b8c704456c34 (diff) | |
| download | systemd-ab51fd9dbdc59f9a37acd8acaea3e9088d092bba.tar.gz | |
network: firewall integration with NFT sets
New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for
integrating configuration of dynamic networks into firewall rules with NFT
sets.
/etc/systemd/network/eth.network
```
[DHCPv4]
...
NFTSet=netdev:filter:eth_ipv4_address
```
```
table netdev filter {
set eth_ipv4_address {
type ipv4_addr
flags interval
}
chain eth_ingress {
type filter hook ingress device "eth0" priority filter; policy drop;
ip saddr != @eth_ipv4_address drop
accept
}
}
```
```
sudo nft list set netdev filter eth_ipv4_address
table netdev filter {
set eth_ipv4_address {
type ipv4_addr
flags interval
elements = { 10.0.0.0/24 }
}
}
```
Diffstat (limited to 'man/systemd.resource-control.xml')
0 files changed, 0 insertions, 0 deletions