No interval possible on Concatenation-Sets

All of lore.kernel.org
 help / color / mirror / Atom feed

* No interval possible on Concatenation-Sets
@ 2020-09-16  9:05 Siebzehn
  2020-09-16 12:52 ` Florian Westphal
  2020-09-16 13:05 ` Arturo Borrero Gonzalez
  0 siblings, 2 replies; 5+ messages in thread
From: Siebzehn @ 2020-09-16  9:05 UTC (permalink / raw)
  To: netfilter

Hello,

I'm filtering Address-Ranges and Ports to let them though. However it
doesn't seem to accept "flags intervals".
Even the Example on the wiki isn't getting accepted!

Example from
https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Network_addresses
flush ruleset
table inet mytable {
    set myset {
        type ipv4_addr . ipv4_addr
        flags interval
        elements = { 192.168.0.0/16 . 172.16.0.0/25,
                     10.0.0.0/30 . 192.168.1.0/24,
        }
    }

    chain mychain {
        ip saddr . ip daddr @myset counter accept
    }
}

Error:
nft -f TestD.nft
TestD.nft:4:9-13: Error: Could not process rule: Invalid argument
    set myset {
        ^^^^^

When I do it without " flags interval" it gives no Error, However it
deletes the Subnet ("/XX"), so it's not a feasible option for me.
I have already tried adding Semicolons, no effect.
Simple Sets with just one item (for example just ip ranges) to filter
work just fine.

Hope someone of you has an idea.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: No interval possible on Concatenation-Sets
  2020-09-16  9:05 No interval possible on Concatenation-Sets Siebzehn
@ 2020-09-16 12:52 ` Florian Westphal
  2020-09-16 13:52   ` Siebzehn
  2020-09-16 13:05 ` Arturo Borrero Gonzalez
  1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2020-09-16 12:52 UTC (permalink / raw)
  To: Siebzehn; +Cc: netfilter

Siebzehn <siebzehntausend@gmail.com> wrote:
> I'm filtering Address-Ranges and Ports to let them though. However it
> doesn't seem to accept "flags intervals".
> Even the Example on the wiki isn't getting accepted!
> 
> Example from
> https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Network_addresses
> flush ruleset
> table inet mytable {
>     set myset {
>         type ipv4_addr . ipv4_addr
>         flags interval
>         elements = { 192.168.0.0/16 . 172.16.0.0/25,
>                      10.0.0.0/30 . 192.168.1.0/24,
>         }
>     }
> 
>     chain mychain {
>         ip saddr . ip daddr @myset counter accept
>     }
> }
> 
> Error:
> nft -f TestD.nft
> TestD.nft:4:9-13: Error: Could not process rule: Invalid argument
>     set myset {

Concatenations with intervals need kernel 5.6 or newer.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: No interval possible on Concatenation-Sets
  2020-09-16 12:52 ` Florian Westphal
@ 2020-09-16 13:52   ` Siebzehn
  0 siblings, 0 replies; 5+ messages in thread
From: Siebzehn @ 2020-09-16 13:52 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

Am Mi., 16. Sept. 2020 um 14:52 Uhr schrieb Florian Westphal <fw@strlen.de>:
>
> Siebzehn <siebzehntausend@gmail.com> wrote:
> > I'm filtering Address-Ranges and Ports to let them though. However it
> > doesn't seem to accept "flags intervals".
> > Even the Example on the wiki isn't getting accepted!
> >
> > Example from
> > https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Network_addresses
> > flush ruleset
> > table inet mytable {
> >     set myset {
> >         type ipv4_addr . ipv4_addr
> >         flags interval
> >         elements = { 192.168.0.0/16 . 172.16.0.0/25,
> >                      10.0.0.0/30 . 192.168.1.0/24,
> >         }
> >     }
> >
> >     chain mychain {
> >         ip saddr . ip daddr @myset counter accept
> >     }
> > }
> >
> > Error:
> > nft -f TestD.nft
> > TestD.nft:4:9-13: Error: Could not process rule: Invalid argument
> >     set myset {
>
> Concatenations with intervals need kernel 5.6 or newer.

Thanks it worked!

I saw the note but wasn't sure what it meant...
"NOTE: before kinux kernel 5.6 and nftables 0.9.4 the CIDR notation
wasn't available, ...:"

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: No interval possible on Concatenation-Sets
  2020-09-16  9:05 No interval possible on Concatenation-Sets Siebzehn
  2020-09-16 12:52 ` Florian Westphal
@ 2020-09-16 13:05 ` Arturo Borrero Gonzalez
  2020-09-16 13:51   ` Siebzehn
  1 sibling, 1 reply; 5+ messages in thread
From: Arturo Borrero Gonzalez @ 2020-09-16 13:05 UTC (permalink / raw)
  To: Siebzehn; +Cc: netfilter

On 2020-09-16 11:05, Siebzehn wrote:
> Hello,
> 
> I'm filtering Address-Ranges and Ports to let them though. However it
> doesn't seem to accept "flags intervals".
> Even the Example on the wiki isn't getting accepted!
> 
> Example from
> https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Network_addresses
> flush ruleset
> table inet mytable {
>     set myset {
>         type ipv4_addr . ipv4_addr
>         flags interval
>         elements = { 192.168.0.0/16 . 172.16.0.0/25,
>                      10.0.0.0/30 . 192.168.1.0/24,
>         }
>     }
> 
>     chain mychain {
>         ip saddr . ip daddr @myset counter accept
>     }
> }
> 

Make sure you are using:

* nftables >= 0.9.4
* kinux kernel >= 5.6

regards.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: No interval possible on Concatenation-Sets
  2020-09-16 13:05 ` Arturo Borrero Gonzalez
@ 2020-09-16 13:51   ` Siebzehn
  0 siblings, 0 replies; 5+ messages in thread
From: Siebzehn @ 2020-09-16 13:51 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez; +Cc: netfilter

Am Mi., 16. Sept. 2020 um 15:05 Uhr schrieb Arturo Borrero Gonzalez
<arturo@netfilter.org>:
>
> On 2020-09-16 11:05, Siebzehn wrote:
> > Hello,
> >
> > I'm filtering Address-Ranges and Ports to let them though. However it
> > doesn't seem to accept "flags intervals".
> > Even the Example on the wiki isn't getting accepted!
> >
> > Example from
> > https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Network_addresses
> > flush ruleset
> > table inet mytable {
> >     set myset {
> >         type ipv4_addr . ipv4_addr
> >         flags interval
> >         elements = { 192.168.0.0/16 . 172.16.0.0/25,
> >                      10.0.0.0/30 . 192.168.1.0/24,
> >         }
> >     }
> >
> >     chain mychain {
> >         ip saddr . ip daddr @myset counter accept
> >     }
> > }
> >
>
> Make sure you are using:
>
> * nftables >= 0.9.4
> * kinux kernel >= 5.6
>
> regards.

Thanks it worked!

I saw the note but wasn't sure what it meant...
"NOTE: before kinux kernel 5.6 and nftables 0.9.4 the CIDR notation
wasn't available, ...:"

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-09-16 13:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-16  9:05 No interval possible on Concatenation-Sets Siebzehn
2020-09-16 12:52 ` Florian Westphal
2020-09-16 13:52   ` Siebzehn
2020-09-16 13:05 ` Arturo Borrero Gonzalez
2020-09-16 13:51   ` Siebzehn

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.