Re: nftables: No prefixes in anonymous sets?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Jan-Philipp Litza <jpl+direct@plutex.de>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables: No prefixes in anonymous sets?
Date: Mon, 2 Dec 2019 21:06:52 +0100	[thread overview]
Message-ID: <20191202200652.GT795@breakpoint.cc> (raw)
In-Reply-To: <7dd662ab-9d95-dbe9-3cf8-5db33ccb4b1a@plutex.de>

Jan-Philipp Litza <jpl+direct@plutex.de> wrote:
> Hi everyone,
> 
> surely not only for me, sets were one of the main reasons to switch from
> iptables to nftables. However, I was very disappointed that anonymous IP
> address sets don't support prefixes (ranges):

They do...

> /etc/nftables.conf:5:20-29: Error: Set member cannot be prefix, missing
> interval flag on declaration
>         ip saddr { 8.8.8.8/32, 1.1.1.1/32 }  drop
                    ^^^^^^^^^^

Which nft and libnftnl versions are this?

This code is taken for non-anon sets.

> Poking around in the source code, I found the relevant line [1] that
> explicitly checks for anonymous sets. Apparently it was added in [2] to
> give the user a better error message that some "BUG".

Note the ! -- this check is done for named sets.

> But couldn't you also simply (or maybe not so simply) "upgrade" the
> anonymous set to an interval-capable set when you encounter a prefix?

Thats what is supposed to happen already.

> Also, why isn't this message triggerd by something like "tcp dport {
> 22-23, 80, 443 }"? Isn't this a range in an anonymous set as well?

Yes, its a range.

next prev parent reply	other threads:[~2019-12-02 20:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-02  9:10 nftables: No prefixes in anonymous sets? Jan-Philipp Litza
2019-12-02 20:06 ` Florian Westphal [this message]
2019-12-03  7:44   ` Jan-Philipp Litza

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191202200652.GT795@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=jpl+direct@plutex.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.