From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: nft named set address types
Date: Tue, 16 Nov 2021 09:35:25 +0100 [thread overview]
Message-ID: <YZNtTRijDHe41jNl@salvia> (raw)
In-Reply-To: <CAOLfK3XahvuNNJbB2Ji-SwsiQT5vrJy8O_adidy+qPbMh5p3DA@mail.gmail.com>
On Mon, Nov 15, 2021 at 08:55:19PM -0600, Matt Zagrabelny wrote:
> Hey Pablo and others...
>
> On Mon, Nov 15, 2021 at 8:22 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Mon, Nov 15, 2021 at 08:47:10PM +0100, Pablo Neira Ayuso wrote:
> > > On Mon, Nov 15, 2021 at 11:40:43AM -0600, Matt Zagrabelny wrote:
> > [...]
> > > > Is there no vmap for icmp?
> > >
> > > instead of:
> > >
> > > meta protocol {icmp, icmpv6} vmap {
> > > icmp: jump icmp_ipv4,
> > > icmpv6: jump icmp_ipv6,
> > > }
> > >
> > > this should be:
> > >
> > > meta protocol vmap {
> > > icmp: jump icmp_ipv4,
> > > icmpv6: jump icmp_ipv6,
> > > }
> >
> > Wrong selector actually:
>
>
> Ha. Yup. I'm just discovering this as you sent your email. I was going
> to reply with a few questions. So your reply was well timed.
>
>
> > # nft describe meta protocol
> > meta expression, datatype ether_type (Ethernet protocol) (basetype integer), 16 bits
> >
> > pre-defined symbolic constants (in hexadecimal):
> > ip 0x0800
> > arp 0x0806
> > ip6 0x86dd
> > 8021q 0x8100
> > 8021ad 0x88a8
> > vlan 0x8100
> >
> > you should used meta l4proto instead
> >
> > # nft describe meta l4proto
> > meta expression, datatype inet_proto (Internet protocol) (basetype integer), 8 bits
> > ip 0
> > icmp 1
> > igmp 2
> > ggp 3
> > ipencap 4
> > st 5
> > tcp 6
> > ...
> >
> > Therefore:
> >
> > meta l4proto vmap {
> > icmp: jump icmp_ipv4,
> > icmpv6: jump icmp_ipv6,
> > }
>
> Agreed. This is working better than the previous vmap.
>
> I search for "nftables icmp" on the interwebs and found these rules:
>
> meta nfproto ipv4 icmp type { echo-request } counter accept
> meta nfproto ipv6 icmpv6 type echo-request counter accept
The following is just fine:
icmp type echo-request counter accept
icmpv6 type echo-request counter accept
but the problem is that you will end up with an IPv4 rule and an IPv6
rule, that's why I suggest you to split the IP-dependent part into
chains, ie.
meta protocol vmap { ip : jump ipv4_input, ip6 : ipv6_input }
Please, have a look at the nft manpage and wiki.
next prev parent reply other threads:[~2021-11-16 8:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-01 20:46 nft named set address types Matt Zagrabelny
2021-11-02 19:39 ` Matt Zagrabelny
2021-11-02 20:23 ` Pablo Neira Ayuso
2021-11-02 20:56 ` Matt Zagrabelny
2021-11-15 17:40 ` Matt Zagrabelny
2021-11-15 17:59 ` Eugene Crosser
2021-11-15 19:00 ` Kerin Millar
2021-11-15 19:47 ` Pablo Neira Ayuso
2021-11-16 2:20 ` Pablo Neira Ayuso
2021-11-16 2:55 ` Matt Zagrabelny
2021-11-16 8:35 ` Pablo Neira Ayuso [this message]
2021-11-02 19:53 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YZNtTRijDHe41jNl@salvia \
--to=pablo@netfilter.org \
--cc=mzagrabe@d.umn.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.