From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Austin Lund <austin.lund@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Change in nft set element add syntax?
Date: Thu, 22 Sep 2022 07:40:20 +0200 [thread overview]
Message-ID: <Yyv1RIjX0pGSbAMP@salvia> (raw)
In-Reply-To: <20220922021238.donues3tuiufzbsn@sarek.home.aplund.id.au>
Hi,
No syntax updates have been done, see below.
On Thu, Sep 22, 2022 at 12:12:38PM +1000, Austin Lund wrote:
> Hi,
>
> I upgraded from nft 1.0.1 to 1.0.5 and found some of the rules I have
> gave some errors. I narrowed it down to adding to sets. It's all
> pretty simple; the error is
>
> > # /usr/bin/nft -c -f /etc/nftables.conf
> > /etc/nftables.conf:44:3-37: Error: Could not process rule: Operation not supported
> > ip saddr @badconns goto update_drop
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > /etc/nftables.conf:64:3-28: Error: Could not process rule: Invalid argument
> > add @badconns { ip saddr }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I have my nftables.conf stuff like this:
>
> > table inet filter {
> > set badconns { typeof ip saddr; timeout 1h; }
> > set badconns6 { typeof ip6 saddr; timeout 1h; }
> > ...
> > chain input {
> > ...
> > ip saddr @badconns goto update_drop
> > ip6 saddr @badconns6 goto update_drop
> > ...
> > }
> >
> > chain update_drop {
> > update @badconns { ip saddr }
> > update @badconns6 { ip6 saddr }
> > drop
> > }
> > ...
>
> This logic is probably somewhat broken, but it does work in the older
> version. Should this give an error in the new version?
This loads fine here.
# cat test.nft
table inet filter {
set badconns { typeof ip saddr; timeout 1h; }
set badconns6 { typeof ip6 saddr; timeout 1h; }
chain input {
ip saddr @badconns goto update_drop
ip6 saddr @badconns6 goto update_drop
}
chain update_drop {
update @badconns { ip saddr }
update @badconns6 { ip6 saddr }
drop
}
}
# nft -f test.nft
# echo $?
# nft list ruleset
table inet filter {
set badconns {
typeof ip saddr
size 65535
flags dynamic,timeout
timeout 1h
}
set badconns6 {
typeof ip6 saddr
size 65535
flags dynamic,timeout
timeout 1h
}
chain input {
ip saddr @badconns goto update_drop
ip6 saddr @badconns6 goto update_drop
}
chain update_drop {
update @badconns { ip saddr }
update @badconns6 { ip6 saddr }
drop
}
}
# nft -v
nftables v1.0.5 (Lester Gooch #4)
next parent reply other threads:[~2022-09-22 5:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220922021238.donues3tuiufzbsn@sarek.home.aplund.id.au>
2022-09-22 5:40 ` Pablo Neira Ayuso [this message]
2023-04-16 18:40 ` Change in nft set element add syntax? Jacob Middag
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yyv1RIjX0pGSbAMP@salvia \
--to=pablo@netfilter.org \
--cc=austin.lund@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.