* nftables set - network/netmask
@ 2018-01-31 7:25 hdemir
2018-02-01 7:50 ` hdemir
0 siblings, 1 reply; 6+ messages in thread
From: hdemir @ 2018-01-31 7:25 UTC (permalink / raw)
To: netfilter
Hi,
I am trying to translate ipset to nftables; I could not add networks as
below; How can I add block IP addresses to the set. Am I missing
something? If not is it possible to add this function.
-------------------------
add table filter
add set filter whitelist2 { type ipv4_addr . inet_proto .
inet_service . ipv4_addr ;}
add element filter whitelist2 { \
10.10.1.0/24 . tcp . 25 . 10.1.1.1 comment "test", \
10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" \
}
# nft -c -f abcd
abcd:4:30-30: Error: syntax error, unexpected ., expecting comma or '}'
10.10.1.0/24 . tcp . 25 . 10.1.1.1 comment "test", \
There is no error message without this line;
-------------------
add table filter
add set filter whitelist2 { type ipv4_addr . inet_proto .
inet_service . ipv4_addr ;}
add element filter whitelist2 { \
10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" \
}
# nft -c -f abcd
#
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: nftables set - network/netmask 2018-01-31 7:25 nftables set - network/netmask hdemir @ 2018-02-01 7:50 ` hdemir 2018-02-01 10:03 ` Arturo Borrero Gonzalez 2018-02-01 11:19 ` Pablo Neira Ayuso 0 siblings, 2 replies; 6+ messages in thread From: hdemir @ 2018-02-01 7:50 UTC (permalink / raw) To: netfilter Hi, I found this conversation; https://www.spinics.net/lists/netfilter/msg56947.html It would be useful to have NET function as ipset has. hash:net,net hash:net,port,net hash:net,iface etc. Thanks. On 31-01-2018 10:25, hdemir wrote: > Hi, > > > I am trying to translate ipset to nftables; I could not add networks as > below; How can I add block IP addresses to the set. Am I missing > something? If not is it possible to add this function. > > ------------------------- > add table filter > add set filter whitelist2 { type ipv4_addr . inet_proto . > inet_service . ipv4_addr ;} > add element filter whitelist2 { \ > 10.10.1.0/24 . tcp . 25 . 10.1.1.1 comment "test", \ > 10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" \ > } > > > > # nft -c -f abcd > abcd:4:30-30: Error: syntax error, unexpected ., expecting comma or '}' > 10.10.1.0/24 . tcp . 25 . 10.1.1.1 comment "test", \ > > > > There is no error message without this line; > ------------------- > add table filter > add set filter whitelist2 { type ipv4_addr . inet_proto . > inet_service . ipv4_addr ;} > add element filter whitelist2 { \ > 10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" \ > } > > # nft -c -f abcd > # > > > Thanks. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nftables set - network/netmask 2018-02-01 7:50 ` hdemir @ 2018-02-01 10:03 ` Arturo Borrero Gonzalez 2018-02-01 11:19 ` Pablo Neira Ayuso 2018-02-01 11:19 ` Pablo Neira Ayuso 1 sibling, 1 reply; 6+ messages in thread From: Arturo Borrero Gonzalez @ 2018-02-01 10:03 UTC (permalink / raw) To: hdemir; +Cc: Netfilter Users Mailing list On 1 February 2018 at 08:50, hdemir <hdemir@metu.edu.tr> wrote: > Hi, > > I found this conversation; > > https://www.spinics.net/lists/netfilter/msg56947.html > > It would be useful to have NET function as ipset has. > > Then, using that example: > hash:net,net % nft add rule tablename chainname ip saddr and 255.255.255.0 . ip daddr and 255.255.255.0 vmap { 10.10.10.0 . 10.10.20.0 : accept } > hash:net,port,net % nft add rule tablename chainname ip saddr and 255.255.255.0 . tcp dport . ip daddr and 255.255.255.0 vmap { 10.10.10.0 . 80 . 10.10.20.0 : accept } > hash:net,iface > % nft add rule tablename chainname ip saddr and 255.255.255.0 . iif vmap { 10.10.10.0 . eth0 : accept } Will add this to the nftables wiki [0]. [0] https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Examples ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nftables set - network/netmask 2018-02-01 10:03 ` Arturo Borrero Gonzalez @ 2018-02-01 11:19 ` Pablo Neira Ayuso 2018-02-01 18:28 ` Hüsnü Demir 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2018-02-01 11:19 UTC (permalink / raw) To: Arturo Borrero Gonzalez; +Cc: hdemir, Netfilter Users Mailing list On Thu, Feb 01, 2018 at 11:03:35AM +0100, Arturo Borrero Gonzalez wrote: > On 1 February 2018 at 08:50, hdemir <hdemir@metu.edu.tr> wrote: > > Hi, > > > > I found this conversation; > > > > https://www.spinics.net/lists/netfilter/msg56947.html > > > > It would be useful to have NET function as ipset has. > > > > > > Then, using that example: > > > hash:net,net > > % nft add rule tablename chainname ip saddr and 255.255.255.0 . ip > daddr and 255.255.255.0 vmap { 10.10.10.0 . 10.10.20.0 : accept } > > > hash:net,port,net > > % nft add rule tablename chainname ip saddr and 255.255.255.0 . tcp > dport . ip daddr and 255.255.255.0 vmap { 10.10.10.0 . 80 . 10.10.20.0 > : accept } > > > > hash:net,iface > > > > % nft add rule tablename chainname ip saddr and 255.255.255.0 . iif > vmap { 10.10.10.0 . eth0 : accept } > > Will add this to the nftables wiki [0]. Thanks Arturo! Sorry, I overlook your reply. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nftables set - network/netmask 2018-02-01 11:19 ` Pablo Neira Ayuso @ 2018-02-01 18:28 ` Hüsnü Demir 0 siblings, 0 replies; 6+ messages in thread From: Hüsnü Demir @ 2018-02-01 18:28 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Arturo Borrero Gonzalez, Netfilter Users Mailing list Thanks for yorum answer but it would Kore useful for me to add multiple cdrs like { 10.10.0.0/24 . tcp . 22, 10.1.0.0/27 . tcp . 21, } Etc. I did not perf test bey writing a rule for each block. About 10 rules and 10 different subnet block, it will be 100 rules, %90 increase. Better to stick with ipset? I have lots of different subnets, and in ipset it is pretty easy. As far as I see, netmask support will suffice for that. By the way, It would be helpfull to add these to the wiki. Thanks again. iPad’imden gönderildi Pablo Neira Ayuso <pablo@netfilter.org> şunları yazdı (1 Şub 2018 14:19): >> On Thu, Feb 01, 2018 at 11:03:35AM +0100, Arturo Borrero Gonzalez wrote: >>> On 1 February 2018 at 08:50, hdemir <hdemir@metu.edu.tr> wrote: >>> Hi, >>> >>> I found this conversation; >>> >>> https://www.spinics.net/lists/netfilter/msg56947.html >>> >>> It would be useful to have NET function as ipset has. >>> >>> >> >> Then, using that example: >> >>> hash:net,net >> >> % nft add rule tablename chainname ip saddr and 255.255.255.0 . ip >> daddr and 255.255.255.0 vmap { 10.10.10.0 . 10.10.20.0 : accept } >> >>> hash:net,port,net >> >> % nft add rule tablename chainname ip saddr and 255.255.255.0 . tcp >> dport . ip daddr and 255.255.255.0 vmap { 10.10.10.0 . 80 . 10.10.20.0 >> : accept } >> >> >>> hash:net,iface >>> >> >> % nft add rule tablename chainname ip saddr and 255.255.255.0 . iif >> vmap { 10.10.10.0 . eth0 : accept } >> >> Will add this to the nftables wiki [0]. > > Thanks Arturo! > > Sorry, I overlook your reply. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nftables set - network/netmask 2018-02-01 7:50 ` hdemir 2018-02-01 10:03 ` Arturo Borrero Gonzalez @ 2018-02-01 11:19 ` Pablo Neira Ayuso 1 sibling, 0 replies; 6+ messages in thread From: Pablo Neira Ayuso @ 2018-02-01 11:19 UTC (permalink / raw) To: hdemir; +Cc: netfilter On Thu, Feb 01, 2018 at 10:50:53AM +0300, hdemir wrote: > Hi, > > I found this conversation; > > https://www.spinics.net/lists/netfilter/msg56947.html > > It would be useful to have NET function as ipset has. > > > hash:net,net > hash:net,port,net > hash:net,iface It's already possible, eg. nft add table filter nft add chain filter x nft add set filter whitelist2 { type ipv4_addr . inet_proto . inet_service . ipv4_addr \;} nft add element filter whitelist2 { 10.1.1.0 . tcp . 2 . 1.1.1.1 comment "test2" } nft add rule filter x ip saddr and 255.255.255.0 . ip protocol . tcp dport . ip daddr @whitelist2 counter So the trick is to do this from rules: nft add rule filter x ip saddr and 255.255.255.0 . ip protocol . tcp dport . ip daddr @whitelist2 counter ^^^^^^^^^^^^^^^^^ We should support /24 (cidr notation) instead at some point though, this just needs some code in the userland. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-01 18:28 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-01-31 7:25 nftables set - network/netmask hdemir 2018-02-01 7:50 ` hdemir 2018-02-01 10:03 ` Arturo Borrero Gonzalez 2018-02-01 11:19 ` Pablo Neira Ayuso 2018-02-01 18:28 ` Hüsnü Demir 2018-02-01 11:19 ` Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.