How to use NFT inet sets???

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "sabitov@sabitov.su" <sabitov@sabitov.su>
To: netfilter@vger.kernel.org
Subject: How to use NFT inet sets???
Date: Tue, 20 Oct 2015 16:51:06 +0600	[thread overview]
Message-ID: <56261C9A.3020902@sabitov.su> (raw)

Hi!

I try to build combined ipv4 and ipv6 firewall using NFT. But I cannot 
find any working example of nft's _INET_ set usage :(

I try to do next:

/sbin/nft -i
nft> list ruleset
nft> flush ruleset
nft> list ruleset
nft> add table inet fw
nft> add chain inet fw input { type filter hook input priority 10; }
nft> add chain inet fw output { type filter hook output priority 10; }
nft> add chain inet fw forward { type filter hook forward priority 10; }
nft> add set inet fw admin_list { type inet_proto ; }
nft> add set inet fw black_list { type inet_proto ; }
nft> add rule  inet fw  input    inet saddr @black_list log drop
<cli>:1:29-32: Error: syntax error, unexpected inet
add rule  inet fw  input    inet saddr @black_list log drop
                             ^^^^
nft> add rule  inet fw  input    ip saddr @black_list log drop
<cli>:1:38-48: Error: datatype mismatch, expected IPv4 address, set has 
type Internet protocol
add rule  inet fw  input    ip saddr @black_list log drop
                             ~~~~~~~~ ^^^^^^^^^^^
nft> add rule  inet fw  input    ip6 saddr @black_list log drop
<cli>:1:39-49: Error: datatype mismatch, expected IPv6 address, set has 
type Internet protocol
add rule  inet fw  input    ip6 saddr @black_list log drop
                             ~~~~~~~~~ ^^^^^^^^^^^
nft> add rule  inet fw  input saddr @black_list log drop
<cli>:1:26-30: Error: syntax error, unexpected saddr
add rule  inet fw  input saddr @black_list log drop
                          ^^^^^
nft> ^D


Is there any example how can I use nft's _INET_ set?

Thanks a lot.

next             reply	other threads:[~2015-10-20 10:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-20 10:51 sabitov [this message]
2015-10-20 11:46 ` How to use NFT inet sets??? Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56261C9A.3020902@sabitov.su \
    --to=sabitov@sabitov.su \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.