我的情况是,我有多个用于多个 docker 网络的多个接口。所有 docker 网络都应该能够访问互联网,所以我目前有以下 nftables 代码片段:
chain forward {
type filter hook forward priority 0; policy drop;
iifname docker0 ct state new accept comment "Accept forwards from docker0"
iifname dck-backend ct state new accept comment "Accept forwards from dck-backend"
}
由于这两条规则非常相似,但接口名称不同,如果可能的话,我想将它们合并为一条。我尝试创建一组接口名称:
set docker_interfaces {
type ifname; flags interval;
elements = {
docker0,dck-backend
}
}
但是,使用规则中的集合
iifname @docker_interfaces accept comment "Accept traffic from docker containers"
导致错误:
Okt 07 10:55:26 naugol nft[968969]: /etc/nftables.conf:40:5-11: Error: Byteorder mismatch: expected big endian, got host endian
Okt 07 10:55:26 naugol nft[968969]: iifname @docker_interfaces accept comment "Accept traffic from docker containers"
Okt 07 10:55:26 naugol nft[968969]: ^^^^^^^
Okt 07 10:55:26 naugol systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
如何在规则中指定多个接口,或者我是否真的需要几个类似的规则来实现这一点?
答案1
您可以考虑像这样内联:
chain forward {
type filter hook forward priority 0; policy drop;
iifname { "docker0", "dck-backend" } ct state new accept comment "Accept forwards from docker interfaces"
}
此外,您还可以使用define
define interfaces = { "docker0", "dck-backend" }
chain forward {
type filter hook forward priority 0; policy drop;
iifname $interfaces ct state new accept comment "Accept forwards from docker interfaces"
}
也可以在命令行上使用适当的转义来完成:
nft add rule ip filter forward iifname \{ "docker0", "dck-backend" \} ct state new accept comment "Accept forwards from docker interfaces"