Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* nftables and set with interval
@ 2019-08-08 11:47 Serguei Bezverkhi (sbezverk)
  2019-08-08 13:18 ` Laura Garcia
  0 siblings, 1 reply; 4+ messages in thread
From: Serguei Bezverkhi (sbezverk) @ 2019-08-08 11:47 UTC (permalink / raw)
  To: netfilter-devel

Hello,
 
I am developing golang nftables libraryI am debugging nftables set with elements defining intervals. I compare what gets generated by nfl command and strace of my code.
 
Based on the output of this command:
 
sudo nft --debug all add rule ipv4table ipv4chain-1  ip daddr { 192.16.0.0/16, 10.16.0.0/16 } return
 
It seems nft sets up NFTNL_SET_KEY_TYPE  (0x4) as 0x2 and I cannot find anywhere what it means.
{{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x02"}, 
 
When I decode strace generated for my code, it always gets set to x01
{{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x01"},
 
I would really appreciate a pointer to where key types are defined and also which flags and or expressions are needed for sets with intervals.
 
Thank you
Serguei
 
 
Full decode below:
 
{{len=108, type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSET, flags=NLM_F_REQUEST|NLM_F_CREATE, seq=1, pid=0},
{nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0),
[
{{nla_len=14, nla_type=NFNETLINK_V1}, "\x69\x70\x76\x34\x74\x61\x62\x6c\x65\x00"},
 
NFTA_SET_NAME                     = 0x2
{{nla_len=12, nla_type=0x2}, "\x5f\x5f\x73\x65\x74\x25\x64\x00"},
 
NFTA_SET_FLAGS                    = 0x3
{{nla_len=8, nla_type=0x3}, "\x00\x00\x00\x07"},
 
NFTA_SET_KEY_TYPE                 = 0x4
{{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x07"},
 
NFTA_SET_KEY_LEN                  = 0x5
{{nla_len=8, nla_type=0x5}, "\x00\x00\x00\x04"},
 
NFTA_SET_ID                       = 0xa
{{nla_len=8, nla_type=0xa}, "\x00\x00\x00\x02"},
 
NFTA_SET_DESC                     = 0x9
{{nla_len=12, nla_type=NLA_F_NESTED|0x9}, "\x08\x00\x01\x00\x00\x00\x00\x05"},
 
NFTA_SET_USERDATA                 = 0xd
{{nla_len=16, nla_type=0xd}, "\x00\x04\x02\x00 \x00\x00\x02\x04 \x01\x00\x00\x00"}
]
}, 
 
{{len=164, type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM, flags=NLM_F_REQUEST|NLM_F_CREATE, seq=1, pid=0},
{nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0),
[
 
NFTA_SET_NAME                     = 0x2
{{nla_len=12, nla_type=0x2}, "\x5f\x5f\x73\x65\x74\x25\x64\x00"},
 NFTNL_SET_KEY_TYPE              = 0x4                              < ==========================. It is nla type, but I cannot find what type 0x2 means, we always used 0x1
{{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x02"},
{{nla_len=14, nla_type=NFNETLINK_V1}, "\x69\x70\x76\x34\x74\x61\x62\x6c\x65\x00"},
{{nla_len=108, nla_type=NLA_F_NESTED|0x3}, "
\x18\x00\x01\x80\x08\x00\x03\x00\x00\x00\x00\x01\x0c\x00\x01\x80\x08\x00\x01\x00\x00\x00\x00\x00\x10\x00\x02\x80\x0c\x00\x01\x80\x08\x00\x01\x00\x0a\x10\x00\x00\x18\x00\x03\x80\x08\x00\x03\x00\x00\x00\x00\x01\x0c\x00\x01\x80\x08\x00\x01\x00\x0a\x11\x00\x00\x10\x00\x04\x80\x0c\x00\x01\x80\x08\x00\x01\x00\xc0\x10\x00\x00\x18\x00\x05\x80\x08\x00\x03\x00\x00\x00\x00\x01\x0c\x00\x01\x80\x08\x00\x01\x00\xc0\x11\x00\x00"}
]
},
 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nftables and set with interval
  2019-08-08 11:47 nftables and set with interval Serguei Bezverkhi (sbezverk)
@ 2019-08-08 13:18 ` Laura Garcia
  2019-08-08 13:32   ` Serguei Bezverkhi (sbezverk)
  2019-08-08 16:08   ` Serguei Bezverkhi (sbezverk)
  0 siblings, 2 replies; 4+ messages in thread
From: Laura Garcia @ 2019-08-08 13:18 UTC (permalink / raw)
  To: Serguei Bezverkhi (sbezverk); +Cc: netfilter-devel

On Thu, Aug 8, 2019 at 1:56 PM Serguei Bezverkhi (sbezverk)
<sbezverk@cisco.com> wrote:
>
> Hello,
>
> I am developing golang nftables libraryI am debugging nftables set with elements defining intervals. I compare what gets generated by nfl command and strace of my code.
>
> Based on the output of this command:
>
> sudo nft --debug all add rule ipv4table ipv4chain-1  ip daddr { 192.16.0.0/16, 10.16.0.0/16 } return
>
> It seems nft sets up NFTNL_SET_KEY_TYPE  (0x4) as 0x2 and I cannot find anywhere what it means.
> {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x02"},
>
> When I decode strace generated for my code, it always gets set to x01
> {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x01"},
>

Hi, are you interacting directly with netlink?
Did you consider using the higher level library libnftables instead?

Cheers.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nftables and set with interval
  2019-08-08 13:18 ` Laura Garcia
@ 2019-08-08 13:32   ` Serguei Bezverkhi (sbezverk)
  2019-08-08 16:08   ` Serguei Bezverkhi (sbezverk)
  1 sibling, 0 replies; 4+ messages in thread
From: Serguei Bezverkhi (sbezverk) @ 2019-08-08 13:32 UTC (permalink / raw)
  To: Laura Garcia; +Cc: netfilter-devel

Hello Laura,

As I mentioned the code uses golang, to interact with netlink I use golang library for netlink and another golang library for expressions primitives. 
Basically it works for good number of expressions, but when I get to more complex things like sets with intervals, I hit problem when set does not get created, the strange thing is netlink does not return any errors on set create either. 

Here is how I create set with intervals:
	c.AddSet(&nftables.Set{
		Table:     t,
		ID:        uint32(5),
		Name:      "interval-set",
		Anonymous: false,
		Constant:  true,
		Interval:  true,
		KeyType:   nftables.TypeIPAddr, // 0x7
		DataLen:   4,
	}, []nftables.SetElement{
		{Key: []byte{0, 0, 0, 0}, Val: []byte{1}},
		{Key: []byte{10, 16, 0, 0}, Val: []byte{0}},
		{Key: []byte{10, 17, 0, 0}, Val: []byte{1}},
		{Key: []byte{192, 16, 0, 0}, Val: []byte{0}},
		{Key: []byte{182, 17, 0, 0}, Val: []byte{1}},
	})

Am I missing anything from Flags or attributes perspective?

Thank you for your help
Serguei 

On 2019-08-08, 9:19 AM, "Laura Garcia" <nevola@gmail.com> wrote:

    On Thu, Aug 8, 2019 at 1:56 PM Serguei Bezverkhi (sbezverk)
    <sbezverk@cisco.com> wrote:
    >
    > Hello,
    >
    > I am developing golang nftables libraryI am debugging nftables set with elements defining intervals. I compare what gets generated by nfl command and strace of my code.
    >
    > Based on the output of this command:
    >
    > sudo nft --debug all add rule ipv4table ipv4chain-1  ip daddr { 192.16.0.0/16, 10.16.0.0/16 } return
    >
    > It seems nft sets up NFTNL_SET_KEY_TYPE  (0x4) as 0x2 and I cannot find anywhere what it means.
    > {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x02"},
    >
    > When I decode strace generated for my code, it always gets set to x01
    > {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x01"},
    >
    
    Hi, are you interacting directly with netlink?
    Did you consider using the higher level library libnftables instead?
    
    Cheers.
    


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nftables and set with interval
  2019-08-08 13:18 ` Laura Garcia
  2019-08-08 13:32   ` Serguei Bezverkhi (sbezverk)
@ 2019-08-08 16:08   ` Serguei Bezverkhi (sbezverk)
  1 sibling, 0 replies; 4+ messages in thread
From: Serguei Bezverkhi (sbezverk) @ 2019-08-08 16:08 UTC (permalink / raw)
  To: Laura Garcia; +Cc: netfilter-devel

I have made a little progress, so now I build this from the code, but I do not think it totally right, because only 10.16.0.0/16 and 192.16.0.0/16 should show up, these three elements 
0.0.0.0-10.15.255.255, 10.17.0.0-192.15.255.255, 192.17.0.0-255.255.255.255 are supposed to be excluded.

sudo nft list table ipv4table
table ip ipv4table {
	set 246ae426f810 {
		type ipv4_addr
		flags constant,interval
		elements = { 0.0.0.0-10.15.255.255, 10.16.0.0/16,
			     10.17.0.0-192.15.255.255, 192.16.0.0/16,
			     192.17.0.0-255.255.255.255 }
	}

	chain ipv4chain-1 {
		type filter hook input priority filter; policy accept;
		ip daddr @246ae426f810 return comment "pU"
	}
}

In set with intervals, what attributes or how to indicate Exclusion SetElement?

Thank you
Serguei

On 2019-08-08, 9:19 AM, "Laura Garcia" <nevola@gmail.com> wrote:

    On Thu, Aug 8, 2019 at 1:56 PM Serguei Bezverkhi (sbezverk)
    <sbezverk@cisco.com> wrote:
    >
    > Hello,
    >
    > I am developing golang nftables libraryI am debugging nftables set with elements defining intervals. I compare what gets generated by nfl command and strace of my code.
    >
    > Based on the output of this command:
    >
    > sudo nft --debug all add rule ipv4table ipv4chain-1  ip daddr { 192.16.0.0/16, 10.16.0.0/16 } return
    >
    > It seems nft sets up NFTNL_SET_KEY_TYPE  (0x4) as 0x2 and I cannot find anywhere what it means.
    > {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x02"},
    >
    > When I decode strace generated for my code, it always gets set to x01
    > {{nla_len=8, nla_type=0x4}, "\x00\x00\x00\x01"},
    >
    
    Hi, are you interacting directly with netlink?
    Did you consider using the higher level library libnftables instead?
    
    Cheers.
    


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-08 11:47 nftables and set with interval Serguei Bezverkhi (sbezverk)
2019-08-08 13:18 ` Laura Garcia
2019-08-08 13:32   ` Serguei Bezverkhi (sbezverk)
2019-08-08 16:08   ` Serguei Bezverkhi (sbezverk)

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org netfilter-devel@archiver.kernel.org
	public-inbox-index netfilter-devel


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox