All of lore.kernel.org
 help / color / mirror / Atom feed
* Unable to create set -- neftilter v0.5 on Ubuntu
@ 2017-08-20  2:50 Jeff Kletsky
  2017-08-20  4:05 ` J Doe
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff Kletsky @ 2017-08-20  2:50 UTC (permalink / raw)
  To: netfilter

Coming from experience with Cisco and FreeBSD, it was a welcome relief 
to see that the relatively inscrutable _iptables_ had a successor with a 
much more readable syntax and greater power and flexibility. Having sets 
and dictionaries are crucial for ease of understanding, robustness, and 
maintainability for me, as is the ability to do an atomic swap of rules.

After spending quite some time reading <https://wiki.nftables.org/>, the 
installed man page, 
<http://www.netfilter.org/projects/nftables/manpage.html> and the few 
examples I could find, I did my best to fill in the gaps in the 
documentation and resolve inconsistencies between the official 
documentation and the examples out there, such as 
<https://wiki.gentoo.org/wiki/Nftables/Examples>


With what I believed to be something that was close to what would parse 
and compile, I started working through the syntax errors reported. 
Eventually it became clear that there were some core problems somewhere 
and I started with the simplest parts first. Create a set...

jeff@ubuntu:~$ sudo nft list ruleset
jeff@ubuntu:~$ sudo nft flush ruleset
jeff@ubuntu:~$ sudo nft add table inet global
jeff@ubuntu:~$ sudo nft list ruleset
table inet global {
}
jeff@ubuntu:~$ sudo nft add set global some_addrs { type ipv4_addr \; }
<cmdline>:1:1-46: Error: Could not process rule: Table 'global' does not 
exist
add set global some_addrs { type ipv4_addr ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
jeff@ubuntu:~$ sudo nft list ruleset
table inet global {
}


Ummm, it sure looks like _Table 'global'_ exists to me!

What am I missing here?


Are there any gotchas in building netfilter against kernel 4.4 or 4.9?

Is my reading correct that netfilter v0.7 requires kernel 4.10, or is 
that just for some of the new features, such as fib access for 
determining reverse path and reachability?


Thanks,

Jeff


nftables installed through apt on Ubuntu, on both an amd64 and an armv7l 
machine. Same behavior on both.
Fails similarly either from the command line or within an nft-processed 
file.


jeff@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:    16.04
Codename:    xenial

jeff@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 
2017 x86_64 x86_64 x86_64 GNU/Linux

jeff@ubuntu:~$ dpkg -s nftables | fgrep Version
Version: 0.5+snapshot20151106-1


jeff@xu4-devel:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:    16.04
Codename:    xenial

jeff@xu4-devel:~$ uname -a
Linux xu4-devel 4.9.28-38 #1 SMP PREEMPT Mon May 15 22:34:14 UTC 2017 
armv7l armv7l armv7l GNU/Linux

jeff@xu4-devel:~$ dpkg -s nftables | fgrep Version
Version: 0.5+snapshot20151106-1





^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Unable to create set -- neftilter v0.5 on Ubuntu
  2017-08-20  2:50 Unable to create set -- neftilter v0.5 on Ubuntu Jeff Kletsky
@ 2017-08-20  4:05 ` J Doe
  2017-08-20 15:49   ` Jeff Kletsky
  0 siblings, 1 reply; 3+ messages in thread
From: J Doe @ 2017-08-20  4:05 UTC (permalink / raw)
  To: Jeff Kletsky, netfilter

Hi Jeff,

The error is being caused because a table that does not explicitly state it's protocol type is assumed to be of type ip.  In this case, we need to include "inet":

nft add set inet global some_addrs { type ipv4_addr \; }

There are no gotchas with building the nft user-land tool against kernel 4.4.  I have it built on a Ubuntu Server 16.04.03 LTS box which has a kernel of 4.4.0-92.

If you are building on Ubuntu Server, make sure to grab the build tools:

sudo apt-get install bison flex binutils build-essential autoconf libtool pkg-config

...and then follow the build steps from the wiki.

One little caveat - once you build libmnl and libnftnl, be sure to run:

sudo ldconfig

...and then build the nftables code.

To check for a proper install, check the version of nft:

nft -v
nftables v0.7 (Scrooge McDuck)

Regards,

- J

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Unable to create set -- neftilter v0.5 on Ubuntu
  2017-08-20  4:05 ` J Doe
@ 2017-08-20 15:49   ` Jeff Kletsky
  0 siblings, 0 replies; 3+ messages in thread
From: Jeff Kletsky @ 2017-08-20 15:49 UTC (permalink / raw)
  To: J Doe, netfilter

Thanks J!

The "acceptable" syntax could certainly use some better documentation. 
After your suggestion about explicitly declaring the set's "type" I was 
able to get the "right" syntax for nft from the output of "nft list 
ruleset" (including the otherwise undocumented "elements=" syntax):

table inet global {
     set some_addrs {
         type ipv4_addr
         elements = { 192.168.0.1, 192.168.0.2 }
     }
}

At least within an nft file, the parser and compiler are smart enough to 
determine the proper "type" for the set as well as to which table it 
should be associated.


Jeff



Thanks also for the hints on compiling v0.7 under Ubuntu. For those that 
might find this through search, my notes had me needing to install the 
following past what I already had installed (/git/ and /automake/). I am 
not sure if /automake/ is required as it was installed prior to this effort.

libmnl-dev is available as a package. I chose to uninstall and build the 
latest from source. libnftnl in packge form appeared to be several 
versions old in the xenial repositories. I also uninstalled and build 
from source

libgmp-dev might be able to be skipped if you are doing a build that 
uses the "internal" gmp for nftables

--with-mini-gmp         Use builtin mini-gmp (for embedded builds)

libjansson-dev is only needed if you enable JSON parsing within libnftnl

   --with-json-parsing     JSON parsing support


autogen
libtool
bison
flex
pkg-config
libgmp-dev
libreadline-dev

libjansson-dev


Errors along the way to finding the set of required packages for search 
keys:

configure.ac:28: error: possibly undefined macro: AC_DISABLE_STATIC
       If this token and others are legitimate, please use m4_pattern_allow.
       See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

./configure: line 4155: syntax error near unexpected token `LIBMNL,'
./configure: line 4155: `PKG_CHECK_MODULES(LIBMNL, libmnl >= 1.0.0)'

./configure: line 4786: syntax error near unexpected token `LIBMNL,'
./configure: line 4786: `PKG_CHECK_MODULES(LIBMNL, libmnl >= 1.0.3)'


On 8/19/17 9:05 PM, J Doe wrote
> The error is being caused because a table that does not explicitly state it's protocol type is assumed to be of type ip.  In this case, we need to include "inet":
>
> nft add set inet global some_addrs { type ipv4_addr \; }
>
> [...]
>
> If you are building on Ubuntu Server, make sure to grab the build tools:
>
> sudo apt-get install bison flex binutils build-essential autoconf libtool pkg-config
>
> ...and then follow the build steps from the wiki.
>
> One little caveat - once you build libmnl and libnftnl, be sure to run:
>
> sudo ldconfig
>
> ...and then build the nftables code.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-08-20 15:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-20  2:50 Unable to create set -- neftilter v0.5 on Ubuntu Jeff Kletsky
2017-08-20  4:05 ` J Doe
2017-08-20 15:49   ` Jeff Kletsky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.