Re: nftables: Using variables in named sets

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi Andreas,

On Mon, Aug 29, 2016 at 01:37:20PM +0200, Andreas Hainke wrote:
> Hi,
> 
> I have a question regarding the definition of variables in nft. I have
> created two files rules.nft and definitions.nft. The file rules.nft 
> contains a ruleset as follows:
> 
> include "/opt/firewall/filter/definitions.nft"
> table inet forward {
> *	   set s-ext-2-int {**
> **		    type ipv4_addr . inet_service**
> **		    elements =	{ $s-ext-2-int }**
> **	    }*
> 
>	  chain segments {
>		  type filter hook forward priority 0; policy drop;
>		  ct state established, related accept
> 
>		  ip saddr $g_n_int ip daddr $n_dmz ct state new jump
> int-2-dmz
>		  ip saddr $n_dmz ip daddr $g_n_int ct state new jump
> dmz-2-int
>		  ip saddr $g_n_int ip daddr $n_ext ct state new jump
> int-2-ext
>		  ip saddr $n_ext ip daddr $g_n_int ct state new jump
> ext-2-int

Not related, but you can represent this is a more performance way
using maps, just a simplification of the ruleset above:

define g_n_int = 1.1.1.1
define n_dmz = 2.2.2.2
define n_ext = 3.3.3.3

table inet forward {
	chain int-2-dmz {
	}
	chain dmz-2-int {
	}
	chain int-2-ext {
	}
	chain ext-2-int {
	}

	chain segments {
		ct state new ip saddr . ip saddr vmap { \
			$g_n_int . $n_dmz : jump int-2-dmz, \
			$n_dmz . $g_n_int : jump dmz-2-int, \
			$g_n_int . $n_ext : jump int-2-ext, \
			$n_ext . $g_n_int : jump ext-2-int
		}
	}
}

This is very fast as we use concatenations and maps to find the
destination chain to jump in O(1), this is scales up nicely.

[...]
> I can use the variables as expected, except for named sets. Using only
> one element in s-ext-2-int is working properly, but as soon as I add a
> second element to the variable definition like this:*
> *
> 
> *define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*
> 
> I receive the following error while loading the rules using nft -f:
> 
> 
> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
> /opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
> comma, expecting newline or semicolon
> n_int tcp dport 22 ct state new accept
>				       ^
> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
> /opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
> 's-ext-2-int'
>	  elements =  { $s-ext-2-int }
>				 ^^^^^^^^^^^
> 
> Is it possible to use variables for named sets, maps, etc. or is this
> currently not possible?

I've submitted a patch for nft that I have tested with:

	define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }

	table inet forward {
	        set s-ext-2-int {
	                type ipv4_addr . inet_service
	                elements = $s-ext-2-int
	        }
	}

http://patchwork.ozlabs.org/project/netfilter-devel/list/

Thanks for reporting.