# cat x.nft
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
if (list_member_evaluate(ctx, &i) < 0)
return -1;
+ if (i->etype == EXPR_MAPPING &&
+ i->left->etype == EXPR_SET_ELEM &&
+ i->left->key->etype == EXPR_SET) {
+ struct expr *new, *j;
+
+ list_for_each_entry(j, &i->left->key->expressions, list) {
+ new = mapping_expr_alloc(&i->location,
+ expr_get(j),
+ expr_clone(i->right));
+ list_add_tail(&new->list, &set->expressions);
+ set->size++;
+ }
+ list_del(&i->list);
+ expr_free(i);
+ continue;
+ }
+
elem = expr_set_elem(i);
if (elem->etype == EXPR_SET_ELEM &&
--- /dev/null
+#!/bin/bash
+
+set -e
+
+EXPECTED="define interfaces = { eth0, eth1 }
+
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { \$interfaces : drop, lo : accept }
+ }
+ chain y {
+ iifname vmap { lo : accept, \$interfaces : drop }
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
--- /dev/null
+table ip x {
+ map z {
+ type ifname : verdict
+ elements = { "lo" : accept,
+ "eth0" : drop,
+ "eth1" : drop }
+ }
+
+ chain y {
+ iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
+ }
+}
projects / thirdparty / nftables.git / commitdiff
