All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables multi-dimensional dictionaries
@ 2015-09-02  9:17 Alex Chapman
  2015-09-03 16:35 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Alex Chapman @ 2015-09-02  9:17 UTC (permalink / raw)
  To: netfilter

Hi,

Are multi-dimensional dictionaries supported in nftables? For example:

nft add rule ip filter forward meta iifname . meta oifname { \ eth0 . eth1 : jump chain \ }

Thanks 		 	   		  

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: nftables multi-dimensional dictionaries
  2015-09-02  9:17 nftables multi-dimensional dictionaries Alex Chapman
@ 2015-09-03 16:35 ` Pablo Neira Ayuso
  2015-09-04 13:32   ` Alex Chapman
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-03 16:35 UTC (permalink / raw)
  To: Alex Chapman; +Cc: netfilter

On Wed, Sep 02, 2015 at 10:17:12AM +0100, Alex Chapman wrote:
> Hi,
> 
> Are multi-dimensional dictionaries supported in nftables? For example:
> 
> nft add rule ip filter forward meta iifname . meta oifname { \ eth0 . eth1 : jump chain \ }

Currently we don't support oifname and oifname, the utility complains
since it's a variable length datatype. But I think we can fix this by
using the maximum length.

Anyway, meanwhile you can use iif and oif for device whose device
index is not expected to change.

So this is how what you need looks like:

        nft add rule ip filter forward \
                meta iif . meta oif vmap { eth0 . eth1 : jump test-chain }

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: nftables multi-dimensional dictionaries
  2015-09-03 16:35 ` Pablo Neira Ayuso
@ 2015-09-04 13:32   ` Alex Chapman
  2015-09-04 14:44     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Alex Chapman @ 2015-09-04 13:32 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter

Hi Pablo,

Thanks for the response. Do I need kernel 4.2 to support this? I'm on 4.1 currently and the command below is erroring:

# nft add rule ip firewall forward  meta iif . meta oif vmap { eth0 . lo : jump test }
<cmdline>:1:55-79: Error: Could not process rule: Invalid argument
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^
<cmdline>:1:55-79: Error: Could not process rule: No such file or directory
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^
<cmdline>:1:1-79: Error: Could not process rule: No such file or directory
add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

(table named firewall and both 'forward' and 'test' chains configured). 

----------------------------------------
> Date: Thu, 3 Sep 2015 18:35:25 +0200
> From: pablo@netfilter.org
> To: ajchapman88@hotmail.co.uk
> CC: netfilter@vger.kernel.org
> Subject: Re: nftables multi-dimensional dictionaries
>
> On Wed, Sep 02, 2015 at 10:17:12AM +0100, Alex Chapman wrote:
>> Hi,
>>
>> Are multi-dimensional dictionaries supported in nftables? For example:
>>
>> nft add rule ip filter forward meta iifname . meta oifname { \ eth0 . eth1 : jump chain \ }
>
> Currently we don't support oifname and oifname, the utility complains
> since it's a variable length datatype. But I think we can fix this by
> using the maximum length.
>
> Anyway, meanwhile you can use iif and oif for device whose device
> index is not expected to change.
>
> So this is how what you need looks like:
>
> nft add rule ip filter forward \
> meta iif . meta oif vmap { eth0 . eth1 : jump test-chain }
 		 	   		  

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: nftables multi-dimensional dictionaries
  2015-09-04 13:32   ` Alex Chapman
@ 2015-09-04 14:44     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-04 14:44 UTC (permalink / raw)
  To: Alex Chapman; +Cc: netfilter

On Fri, Sep 04, 2015 at 02:32:31PM +0100, Alex Chapman wrote:
> Hi Pablo,
> 
> Thanks for the response. Do I need kernel 4.2 to support this? I'm on 4.1 currently and the command below is erroring:
> 
> # nft add rule ip firewall forward  meta iif . meta oif vmap { eth0 . lo : jump test }
> <cmdline>:1:55-79: Error: Could not process rule: Invalid argument
> add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
>                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^
> <cmdline>:1:55-79: Error: Could not process rule: No such file or directory
> add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
>                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^
> <cmdline>:1:1-79: Error: Could not process rule: No such file or directory
> add rule ip firewall forward meta iif . meta oif vmap { eth0 . lo : jump test }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> (table named firewall and both 'forward' and 'test' chains configured). 

You need this oneliner fix:

http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=bf798657eb5ba57552096843c315f096fdf9b715

It's on its way to 4.3-rc and will send to -stable 4.1 and 4.2 asap.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-04 14:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-02  9:17 nftables multi-dimensional dictionaries Alex Chapman
2015-09-03 16:35 ` Pablo Neira Ayuso
2015-09-04 13:32   ` Alex Chapman
2015-09-04 14:44     ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.