LionelJouin · October 29, 2021 14:47
diff --git a/commands b/commands
 nft add table inet meridio-nfqlb
 nft add set inet meridio-nfqlb flow-a-saddrs-v4 { type ipv4_addr\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-daddrs-v4 { type ipv4_addr\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-saddrs-v6 { type ipv6_addr\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-daddrs-v6 { type ipv6_addr\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-sports { type inet_service\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-dports { type inet_service\; flags interval \; }
 nft add set inet meridio-nfqlb flow-a-protocols { type inet_proto\; flags interval \; }
 nft add element inet meridio-nfqlb flow-a-saddrs-v4 { 179.10.10.0/24, 180.10.10.0/24 }
 nft add element inet meridio-nfqlb flow-a-daddrs-v4 { 20.0.0.1/32, 40.0.0.0/24 }
 nft add element inet meridio-nfqlb flow-a-saddrs-v6 { 179.10.10.0/24, 180.10.10.0/24 }
 nft add element inet meridio-nfqlb flow-a-daddrs-v6 { 20.0.0.1/32, 40.0.0.0/24 }
 nft add element inet meridio-nfqlb flow-a-sports { 3000-65535, 2000 }
 nft add element inet meridio-nfqlb flow-a-dports { 7001 }
 nft add element inet meridio-nfqlb flow-a-protocols { tcp, udp }
 nft add chain inet meridio-nfqlb flow-a { type filter hook prerouting priority 0 \; }

 nft add rule inet meridio-nfqlb flow-a ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 tcp dport @flow-a-dports tcp sport @flow-a-sports counter queue num 1
 nft add rule inet meridio-nfqlb flow-a ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 udp dport @flow-a-dports udp sport @flow-a-sports counter queue num 1

 nft add rule inet meridio-nfqlb flow-a ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 tcp dport @flow-a-dports tcp sport @flow-a-sports counter queue num 1
 nft add rule inet meridio-nfqlb flow-a ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 udp dport @flow-a-dports udp sport @flow-a-sports counter queue num 1
diff --git a/gistfile1.txt b/gistfile1.txt
 https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes 
 https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables 
 https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains 
 https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management 

 nft list tables 
 nft list chains 
 nft list ruleset 
 nft list ruleset -ay 

 nft delete chain inet meridio-nfqlb flow-a
 nft flush table inet meridio-nfqlb
 nft delete table inet meridio-nfqlb
diff --git a/meridio-nfqlb b/meridio-nfqlb
 table inet meridio-nfqlb { # handle 1693
        set flow-a-saddrs-v4 { # handle 1
                type ipv4_addr
                flags interval
                elements = { 179.10.10.0/24, 180.10.10.0/24 }
        }

        set flow-a-daddrs-v4 { # handle 2
                type ipv4_addr
                flags interval
                elements = { 20.0.0.1, 40.0.0.0/24 }
        }

        set flow-a-saddrs-v6 { # handle 3
                type ipv6_addr
                flags interval
        }

        set flow-a-daddrs-v6 { # handle 4
                type ipv6_addr
                flags interval
        }

        set flow-a-sports { # handle 5
                type inet_service
                flags interval
                elements = { 2000, 3000-65535 }
        }

        set flow-a-dports { # handle 6
                type inet_service
                flags interval
                elements = { 7001 }
        }

        set flow-a-protocols { # handle 7
                type inet_proto
                flags interval
                elements = { tcp, udp }
        }

        chain flow-a { # handle 16
                type filter hook prerouting priority 0; policy accept;
                ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 tcp dport @flow-a-dports tcp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 17
                ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 udp dport @flow-a-dports udp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 18
                ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 tcp dport @flow-a-dports tcp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 19
                ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 udp dport @flow-a-dports udp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 20
        }
 }
	nft add table inet meridio-nfqlb
	nft add set inet meridio-nfqlb flow-a-saddrs-v4 { type ipv4_addr\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-daddrs-v4 { type ipv4_addr\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-saddrs-v6 { type ipv6_addr\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-daddrs-v6 { type ipv6_addr\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-sports { type inet_service\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-dports { type inet_service\; flags interval \; }
	nft add set inet meridio-nfqlb flow-a-protocols { type inet_proto\; flags interval \; }
	nft add element inet meridio-nfqlb flow-a-saddrs-v4 { 179.10.10.0/24, 180.10.10.0/24 }
	nft add element inet meridio-nfqlb flow-a-daddrs-v4 { 20.0.0.1/32, 40.0.0.0/24 }
	nft add element inet meridio-nfqlb flow-a-saddrs-v6 { 179.10.10.0/24, 180.10.10.0/24 }
	nft add element inet meridio-nfqlb flow-a-daddrs-v6 { 20.0.0.1/32, 40.0.0.0/24 }
	nft add element inet meridio-nfqlb flow-a-sports { 3000-65535, 2000 }
	nft add element inet meridio-nfqlb flow-a-dports { 7001 }
	nft add element inet meridio-nfqlb flow-a-protocols { tcp, udp }
	nft add chain inet meridio-nfqlb flow-a { type filter hook prerouting priority 0 \; }

	nft add rule inet meridio-nfqlb flow-a ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 tcp dport @flow-a-dports tcp sport @flow-a-sports counter queue num 1
	nft add rule inet meridio-nfqlb flow-a ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 udp dport @flow-a-dports udp sport @flow-a-sports counter queue num 1

	nft add rule inet meridio-nfqlb flow-a ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 tcp dport @flow-a-dports tcp sport @flow-a-sports counter queue num 1
	nft add rule inet meridio-nfqlb flow-a ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 udp dport @flow-a-dports udp sport @flow-a-sports counter queue num 1
	https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
	https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
	https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
	https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management

	nft list tables
	nft list chains
	nft list ruleset
	nft list ruleset -ay

	nft delete chain inet meridio-nfqlb flow-a
	nft flush table inet meridio-nfqlb
	nft delete table inet meridio-nfqlb
	table inet meridio-nfqlb { # handle 1693
	set flow-a-saddrs-v4 { # handle 1
	type ipv4_addr
	flags interval
	elements = { 179.10.10.0/24, 180.10.10.0/24 }
	}

	set flow-a-daddrs-v4 { # handle 2
	type ipv4_addr
	flags interval
	elements = { 20.0.0.1, 40.0.0.0/24 }
	}

	set flow-a-saddrs-v6 { # handle 3
	type ipv6_addr
	flags interval
	}

	set flow-a-daddrs-v6 { # handle 4
	type ipv6_addr
	flags interval
	}

	set flow-a-sports { # handle 5
	type inet_service
	flags interval
	elements = { 2000, 3000-65535 }
	}

	set flow-a-dports { # handle 6
	type inet_service
	flags interval
	elements = { 7001 }
	}

	set flow-a-protocols { # handle 7
	type inet_proto
	flags interval
	elements = { tcp, udp }
	}

	chain flow-a { # handle 16
	type filter hook prerouting priority 0; policy accept;
	ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 tcp dport @flow-a-dports tcp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 17
	ip protocol @flow-a-protocols ip saddr @flow-a-saddrs-v4 ip daddr @flow-a-daddrs-v4 udp dport @flow-a-dports udp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 18
	ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 tcp dport @flow-a-dports tcp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 19
	ip6 nexthdr @flow-a-protocols ip6 saddr @flow-a-saddrs-v6 ip6 daddr @flow-a-daddrs-v6 udp dport @flow-a-dports udp sport @flow-a-sports counter packets 0 bytes 0 queue num 1 # handle 20
	}
	}