From: Patrick McHardy <kaber@trash.net>
To: "Christoph A." <casmls@gmail.com>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: nftables: problem with sets (Object not found)
Date: Tue, 28 Jul 2009 15:53:00 +0200 [thread overview]
Message-ID: <4A6F02BC.7080904@trash.net> (raw)
In-Reply-To: <4A6EEDBA.3010505@trash.net>
[-- Attachment #1: Type: text/plain, Size: 872 bytes --]
Patrick McHardy wrote:
> Christoph A. wrote:
>> Am I missing something in the kernel or do I have a syntax error in my
>> rules?
>> (kernel config attached)
>
> I never pushed out the userspace changes for the new set API.
> I just pushed out all the changes that should be needed, please
> update your trees and try again.
BTW, for reference, attached is an example script for the new
features (included in the tree in files/examples/sets_and_maps).
The named sets can then be updated dynamically like this:
# nft add element filter jump_map { eth0 => jump input_1, eth1 => jump
input_2 }
# nft add element filter nat_map eth0 => 10.0.0.1
# nft add element filter local_ifs { eth1, eth2, eth3 }
# nft delete element filter local_ifs eth2
etc. For now, all sets and maps are bound to tables. This is actually
only necessary for verdict maps, so this might change.
[-- Attachment #2: sets_and_maps --]
[-- Type: text/plain, Size: 1089 bytes --]
#! /sbin/nft -nf
#
# Examples of set and map usage
#
# symbolic anonymous set definition built from symbolic singleton definitions
define int_if1 = eth0
define int_if2 = eth1
define int_ifs = { $int_if1, $int_if2 }
define ext_if1 = eth2
define ext_if2 = eth3
define ext_ifs = { $ext_if1, $ext_if2 }
# recursive symbolic anonymous set definition
define local_ifs = { $int_ifs, $ext_ifs }
# symbolic anonymous set definition
define tcp_ports = { ssh, domain, https, 123-125 }
delete table filter
table filter {
# named set of type ifindex
set local_ifs {
type ifindex
}
# named map of type ifindex => ipv4_address
map nat_map {
type ifindex => ipv4_address
}
map jump_map {
type ifindex => verdict
}
chain input_1 { counter; }
chain input_2 { counter; }
chain input {
hook NF_INET_LOCAL_IN 0
# symbolic anonymous sets
meta iif $local_ifs tcp dport $tcp_ports counter
# literal anonymous set
meta iif { eth0, eth1 } counter
meta iif @local_ifs counter
meta iif vmap @jump_map
#meta iif vmap { eth0 => jump input1, eth1 => jump input2 }
}
}
next prev parent reply other threads:[~2009-07-28 13:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-24 18:26 nftables: problem with sets (Object not found) Christoph A.
2009-07-28 12:23 ` Patrick McHardy
2009-07-28 13:53 ` Patrick McHardy [this message]
2009-07-28 20:13 ` Christoph A.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A6F02BC.7080904@trash.net \
--to=kaber@trash.net \
--cc=casmls@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.