network: firewall integration with NFT sets

New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for integrating configuration of dynamic networks into firewall rules with NFT sets. /etc/systemd/network/eth.network ``` [DHCPv4] ... NFTSet=netdev:filter:eth_ipv4_address ``` ``` table netdev filter { set eth_ipv4_address { type ipv4_addr flags interval } chain eth_ingress { type filter hook ingress device "eth0" priority filter; policy drop; ip saddr != @eth_ipv4_address drop accept } } ``` ``` sudo nft list set netdev filter eth_ipv4_address table netdev filter { set eth_ipv4_address { type ipv4_addr flags interval elements = { 10.0.0.0/24 } } } ```
author: Topi Miettinen <toiwoton@gmail.com> 2022-05-22 14:09:06 +0300
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2022-06-08 16:12:25 +0000
commit: ab51fd9dbdc59f9a37acd8acaea3e9088d092bba (patch)
tree: 82dbd77f4def265280ea0bb5463cd105f6cd3fcb /src/basic/parse-util.h
parent: e8f1b50f271f5e28b99182c56eb1b8c704456c34 (diff)
download: systemd-ab51fd9dbdc59f9a37acd8acaea3e9088d092bba.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/basic/parse-util.h b/src/basic/parse-util.h
index f2222dcffb..8530ad1c49 100644
--- a/src/basic/parse-util.h
+++ b/src/basic/parse-util.h
@@ -146,3 +146,5 @@ int parse_oom_score_adjust(const char *s, int *ret);
  * to a loadavg_t. */
 int store_loadavg_fixed_point(unsigned long i, unsigned long f, loadavg_t *ret);
 int parse_loadavg_fixed_point(const char *s, loadavg_t *ret);
+
+bool nft_identifier_bad(const char *id);
author	Topi Miettinen <toiwoton@gmail.com>	2022-05-22 14:09:06 +0300
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2022-06-08 16:12:25 +0000
commit	ab51fd9dbdc59f9a37acd8acaea3e9088d092bba (patch)
tree	82dbd77f4def265280ea0bb5463cd105f6cd3fcb /src/basic/parse-util.h
parent	e8f1b50f271f5e28b99182c56eb1b8c704456c34 (diff)
download	systemd-ab51fd9dbdc59f9a37acd8acaea3e9088d092bba.tar.gz