在nftable规则中指定多个接口。
在nftable规则中指定多个接口。
提问于 2020-10-07 09:08:11
我所处的情况是,我有多个接口,用于多个码头网络。所有docker网络都应该能够访问internet,因此我目前有以下nftable代码段:
chain forward {
type filter hook forward priority 0; policy drop;
iifname docker0 ct state new accept comment "Accept forwards from docker0"
iifname dck-backend ct state new accept comment "Accept forwards from dck-backend"
}由于这两个规则非常相似,但接口名称,我想将它们合并为一个,如果可能的话。我试图创建一组接口名称:
set docker_interfaces {
type ifname; flags interval;
elements = {
docker0,dck-backend
}
}但是,使用规则中的集合
iifname @docker_interfaces accept comment "Accept traffic from docker containers"导致错误:
Okt 07 10:55:26 naugol nft[968969]: /etc/nftables.conf:40:5-11: Error: Byteorder mismatch: expected big endian, got host endian
Okt 07 10:55:26 naugol nft[968969]: iifname @docker_interfaces accept comment "Accept traffic from docker containers"
Okt 07 10:55:26 naugol nft[968969]: ^^^^^^^
Okt 07 10:55:26 naugol systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE如何在规则中指定多个接口,或者是否真的需要几个类似的规则才能实现这一点?
回答 1
Server Fault用户
发布于 2020-10-08 17:04:55
您可能会考虑这样的内联:
chain forward {
type filter hook forward priority 0; policy drop;
iifname { "docker0", "dck-backend" } ct state new accept comment "Accept forwards from docker interfaces"
}此外,您还可以使用define
define interfaces = { "docker0", "dck-backend" }
chain forward {
type filter hook forward priority 0; policy drop;
iifname $interfaces ct state new accept comment "Accept forwards from docker interfaces"
}还可以在命令行上进行适当的转义:
nft add rule ip filter forward iifname \{ "docker0", "dck-backend" \} ct state new accept comment "Accept forwards from docker interfaces"
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1036742
复制相关文章
相似问题
腾讯云开发者
