Re: nft named set address types

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: nft named set address types
Date: Tue, 2 Nov 2021 21:23:42 +0100	[thread overview]
Message-ID: <YYGeTgBAZfM76k4h@salvia> (raw)
In-Reply-To: <CAOLfK3XW28kgrBGpQvi9eO3h2oQD80kU6tqz0obgSfvkgbF5-A@mail.gmail.com>

On Tue, Nov 02, 2021 at 02:39:33PM -0500, Matt Zagrabelny wrote:
> Replying to myself...
> 
> On Mon, Nov 1, 2021 at 3:46 PM Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> >
> > Hello,
> >
> > I'd like to use the "inet" address family in a named set. I see nft
> > supports the following address families [AF] (among others):
> >
> >        ip       IPv4 address family.
> >
> >        ip6      IPv6 address family.
> >
> >        inet     Internet (IPv4/IPv6) address
> >                 family.
> 
> 
> I'm not sure nftables even would allow an "inet" to be used in a rule such as:
> 
> table inet filter {
>     chain input {
>         inet saddr { 127.0.0.1, ::1 } tcp dport 22 accept
>     }
> }
> 
> Instead, it seems I must do:
> 
> table inet filter {
>     chain input {

there is no chain definition here, this chain sees no traffic.

          type filter hook input priority filter; policy drop;

is missing.

>         ip saddr 127.0.0.1 tcp dport 22 accept
>         ip6 saddr ::1 tcp dport 22 accept

Better split your ruleset in a tree using verdict maps:

table inet filter {
    chain input_ip4 {
        ip saddr 127.0.0.1 accept
    }

    chain input_ip6 {
        ip6 saddr ::1 accept
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ct state vmap { established : accept, related : accept, invalid : drop }
        # implicit match on 'ct state new,untracked'
        tcp dport 22 meta protocol vmap { ip : jump input_ip4, ip6 : jump input_ip6 }
    }
}

next prev parent reply	other threads:[~2021-11-02 20:23 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-01 20:46 nft named set address types Matt Zagrabelny
2021-11-02 19:39 ` Matt Zagrabelny
2021-11-02 20:23   ` Pablo Neira Ayuso [this message]
2021-11-02 20:56     ` Matt Zagrabelny
2021-11-15 17:40     ` Matt Zagrabelny
2021-11-15 17:59       ` Eugene Crosser
2021-11-15 19:00       ` Kerin Millar
2021-11-15 19:47       ` Pablo Neira Ayuso
2021-11-16  2:20         ` Pablo Neira Ayuso
2021-11-16  2:55           ` Matt Zagrabelny
2021-11-16  8:35             ` Pablo Neira Ayuso
2021-11-02 19:53 ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YYGeTgBAZfM76k4h@salvia \
    --to=pablo@netfilter.org \
    --cc=mzagrabe@d.umn.edu \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.