* nftables: How to add bordering ip-ranges to a named set
@ 2016-07-06 16:51 Matthias Taube
2016-07-07 18:33 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Matthias Taube @ 2016-07-06 16:51 UTC (permalink / raw)
To: netfilter
Hi,
if I define a named set in nftables
> nft 'add set inet filter black2 {type ipv4_addr; flags interval; }'
> nft add element inet filter black2 { 192.168.1.1/24 }
it is not possible to add bordering ip-ranges:
> nft add element inet filter black2 { 192.168.2.1/24 }
> <cmdline>:1:1-49: Error: Could not process rule: File exists
> add element inet filter black2 { 192.168.2.1/24 }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
but if I add the ranges in ONE command it works:
> nft add element inet filter black2 { 192.168.1.1/24, 192.168.2.1/24 }
then the ranges are put together to one ip-range:
> # nft list set inet filter black2
> table inet filter {
> set black2 {
> type ipv4_addr
> flags interval
> elements = { 192.168.1.0-192.168.2.255}
> }
> }
How it is possible to create a set to flexible add and delete bordering
ip-ranges?
mfg
Matthias
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables: How to add bordering ip-ranges to a named set
2016-07-06 16:51 nftables: How to add bordering ip-ranges to a named set Matthias Taube
@ 2016-07-07 18:33 ` Pablo Neira Ayuso
2016-07-08 18:19 ` Matthias Taube
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-07-07 18:33 UTC (permalink / raw)
To: Matthias Taube; +Cc: netfilter
On Wed, Jul 06, 2016 at 06:51:21PM +0200, Matthias Taube wrote:
> Hi,
>
> if I define a named set in nftables
> >nft 'add set inet filter black2 {type ipv4_addr; flags interval; }'
> >nft add element inet filter black2 { 192.168.1.1/24 }
>
> it is not possible to add bordering ip-ranges:
> >nft add element inet filter black2 { 192.168.2.1/24 }
> ><cmdline>:1:1-49: Error: Could not process rule: File exists
> >add element inet filter black2 { 192.168.2.1/24 }
> >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> but if I add the ranges in ONE command it works:
> >nft add element inet filter black2 { 192.168.1.1/24, 192.168.2.1/24 }
>
> then the ranges are put together to one ip-range:
> ># nft list set inet filter black2
> >table inet filter {
> > set black2 {
> > type ipv4_addr
> > flags interval
> > elements = { 192.168.1.0-192.168.2.255}
> > }
> >}
>
> How it is possible to create a set to flexible add and delete bordering
> ip-ranges?
This is fixed in the upcoming 4.7, you can give a try to 4.7-rc6. You
also have to install nft 0.6.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables: How to add bordering ip-ranges to a named set
2016-07-07 18:33 ` Pablo Neira Ayuso
@ 2016-07-08 18:19 ` Matthias Taube
0 siblings, 0 replies; 3+ messages in thread
From: Matthias Taube @ 2016-07-08 18:19 UTC (permalink / raw)
To: netfilter
Am 07.07.2016 um 20:33 schrieb Pablo Neira Ayuso:
> This is fixed in the upcoming 4.7, you can give a try to 4.7-rc6. You
> also have to install nft 0.6.
Thanks for the info. I will wait until this version is in debian sid.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-07-08 18:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-06 16:51 nftables: How to add bordering ip-ranges to a named set Matthias Taube
2016-07-07 18:33 ` Pablo Neira Ayuso
2016-07-08 18:19 ` Matthias Taube
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox