Dynamic list for net's

Dynamic list for net's

[Іван Щербей]

Hi all

I have question about "SET"

I read this block on manpage:
>
> Using anonymous sets to accept particular subnets and ports.
>
>
> nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
>
> Named sets are sets that need to be defined first before they can be referenced in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. Sets are referenced from rules using an @ prefixed to the sets name.
>
> Using named sets to accept addresses and ports.
>
>
> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept


But i can't use network how elements in set. because only ipv4_addr or
ipv6_addr types are supported.

How can I do it in other way?

I need to check large lists of networks ( more than 40k in one list )
I used to do this with ipset:
Example:
create net_allow hash:net family inet hashsize 1024 maxelem 65536
add net_allow X.X.X.X/X

I am trying this with "vmap".but it doesn’t look very easy and I need
to use "jump" in rules


Regards
Ivan

P.S. Sorry for my English

Re: Dynamic list for net's

[kfm]

On 13/05/2020 18:40, Іван Щербей wrote:
> Hi all
> 
> I have question about "SET"
> 
> I read this block on manpage:
>>
>> Using anonymous sets to accept particular subnets and ports.
>>
>>
>> nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
>>
>> Named sets are sets that need to be defined first before they can be referenced in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. Sets are referenced from rules using an @ prefixed to the sets name.
>>
>> Using named sets to accept addresses and ports.
>>
>>
>> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept
> 
> 
> But i can't use network how elements in set. because only ipv4_addr or
> ipv6_addr types are supported.

For named sets, ensure that the "interval" flag is present. See the 
discussion that occurred in the following bug:

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

-- 
Kerin Millar

Re: Dynamic list for net's

[Іван Щербей]

Yes, that's what I want
Thank you very much.



ср, 13 мая 2020 г. в 21:39, <kfm@plushkava.net>:
>
> On 13/05/2020 18:40, Іван Щербей wrote:
> > Hi all
> >
> > I have question about "SET"
> >
> > I read this block on manpage:
> >>
> >> Using anonymous sets to accept particular subnets and ports.
> >>
> >>
> >> nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
> >>
> >> Named sets are sets that need to be defined first before they can be referenced in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. Sets are referenced from rules using an @ prefixed to the sets name.
> >>
> >> Using named sets to accept addresses and ports.
> >>
> >>
> >> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept
> >
> >
> > But i can't use network how elements in set. because only ipv4_addr or
> > ipv6_addr types are supported.
>
> For named sets, ensure that the "interval" flag is present. See the
> discussion that occurred in the following bug:
>
> https://bugzilla.netfilter.org/show_bug.cgi?id=1380
>
> --
> Kerin Millar

Re: Dynamic list for net's

[Іван Щербей]

Hi again.

How can flush "sets" ?

i get this message when try it:
# nft flush set ip filter ua_ix_list
<cmdline>:1:1-31: Error: Could not process rule: Invalid argument
flush set ip filter ua_ix_list
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

But:
# nft list set ip filter ua_ix_list
table ip filter {
        set ua_ix_list {
                type ipv4_addr
                flags interval
        }
}



Install version:
nftables v0.7 (Scrooge McDuck)

Thanks

ср, 13 мая 2020 г. в 21:59, Іван Щербей <ivan@intraffic.ua>:
>
> Yes, that's what I want
> Thank you very much.
>
>
>
> ср, 13 мая 2020 г. в 21:39, <kfm@plushkava.net>:
> >
> > On 13/05/2020 18:40, Іван Щербей wrote:
> > > Hi all
> > >
> > > I have question about "SET"
> > >
> > > I read this block on manpage:
> > >>
> > >> Using anonymous sets to accept particular subnets and ports.
> > >>
> > >>
> > >> nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
> > >>
> > >> Named sets are sets that need to be defined first before they can be referenced in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. Sets are referenced from rules using an @ prefixed to the sets name.
> > >>
> > >> Using named sets to accept addresses and ports.
> > >>
> > >>
> > >> nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept
> > >
> > >
> > > But i can't use network how elements in set. because only ipv4_addr or
> > > ipv6_addr types are supported.
> >
> > For named sets, ensure that the "interval" flag is present. See the
> > discussion that occurred in the following bug:
> >
> > https://bugzilla.netfilter.org/show_bug.cgi?id=1380
> >
> > --
> > Kerin Millar