* nftables vmap concatenations with interval
@ 2016-09-27 15:10 Martin Bednar
2016-09-27 19:11 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Martin Bednar @ 2016-09-27 15:10 UTC (permalink / raw)
To: netfilter
hi,
using nftables, I want to create a vmap :
map mymap {type ipv4_addr . iface_index : verdict }
I'd like the first argument to be an ip range/ network, so that I can add like
so :
nft add element inet filter mymap { 172.18.0.1/24 . eth0 : accept }
or
nft add element inet filter mymap { 172.18.0.1-172.18.0.255 . eth0 : accept }
Any hints as to what to do it?
Thanks,
Martin.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables vmap concatenations with interval
2016-09-27 15:10 nftables vmap concatenations with interval Martin Bednar
@ 2016-09-27 19:11 ` Pablo Neira Ayuso
2016-09-28 12:51 ` Martin Bednar
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-27 19:11 UTC (permalink / raw)
To: Martin Bednar; +Cc: netfilter
On Tue, Sep 27, 2016 at 05:10:45PM +0200, Martin Bednar wrote:
> hi,
>
> using nftables, I want to create a vmap :
>
> map mymap {type ipv4_addr . iface_index : verdict }
>
> I'd like the first argument to be an ip range/ network, so that I can add like
> so :
> nft add element inet filter mymap { 172.18.0.1/24 . eth0 : accept }
>
> nft add element inet filter mymap { 172.18.0.1-172.18.0.255 . eth0 : accept }
>
> Any hints as to what to do it?
nft add table inet filter
nft add map inet filter mymap { type ipv4_addr . iface_index : verdict \; }
nft add element inet filter mymap { 172.18.0.0 . eth0 : accept }
nft add rule inet filter forward ip saddr and 255.255.255.0 . iif vmap @mymap
^^^^^^^^^^^^^^^^^^^^^^^^^^
The idea here is to mask the address, then add to the set the result
of this operation, thus, 172.18.0.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables vmap concatenations with interval
2016-09-27 19:11 ` Pablo Neira Ayuso
@ 2016-09-28 12:51 ` Martin Bednar
0 siblings, 0 replies; 3+ messages in thread
From: Martin Bednar @ 2016-09-28 12:51 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Le Tuesday, September 27, 2016 9:11:01 PM CEST Pablo Neira Ayuso a écrit :
>
> nft add table inet filter
> nft add map inet filter mymap { type ipv4_addr . iface_index : verdict \; }
> nft add element inet filter mymap { 172.18.0.0 . eth0 : accept }
> nft add rule inet filter forward ip saddr and 255.255.255.0 . iif vmap
> @mymap ^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The idea here is to mask the address, then add to the set the result
> of this operation, thus, 172.18.0.0
Very cool trick... Thanks. this solves 90% of what I want :)
This however implies the same mask for all networks, right?
Is is somehow possible to have one vmap for networks with different masks?
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-09-28 12:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-27 15:10 nftables vmap concatenations with interval Martin Bednar
2016-09-27 19:11 ` Pablo Neira Ayuso
2016-09-28 12:51 ` Martin Bednar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.