* nftables: Using variables in named sets
@ 2016-08-29 11:37 Andreas Hainke
2016-08-29 16:04 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Andreas Hainke @ 2016-08-29 11:37 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 3184 bytes --]
Hi,
I have a question regarding the definition of variables in nft. I have
created two files rules.nft and definitions.nft. The file rules.nft
contains a ruleset as follows:
include "/opt/firewall/filter/definitions.nft"
table inet forward {
* set s-ext-2-int {**
** type ipv4_addr . inet_service**
** elements = { $s-ext-2-int }**
** }*
chain segments {
type filter hook forward priority 0; policy drop;
ct state established, related accept
ip saddr $g_n_int ip daddr $n_dmz ct state new jump
int-2-dmz
ip saddr $n_dmz ip daddr $g_n_int ct state new jump
dmz-2-int
ip saddr $g_n_int ip daddr $n_ext ct state new jump
int-2-ext
ip saddr $n_ext ip daddr $g_n_int ct state new jump
ext-2-int
ip saddr $n_dmz ip daddr $n_ext ct state new jump dmz-2-ext
ip saddr $n_ext ip daddr $n_dmz ct state new jump ext-2-dmz
ip6 saddr $g6_n_int ip6 daddr $n6_dmz ct state new jump
int-2-dmz
ip6 saddr $n6_dmz ip6 daddr $g6_n_int ct state new jump
dmz-2-int
ip6 saddr $g6_n_int ip6 daddr $n6_ext ct state new jump
int-2-ext
ip6 saddr $n6_ext ip6 daddr $g6_n_int ct state new jump
ext-2-int
ip6 saddr $n6_dmz ip6 daddr $n6_ext ct state new jump
dmz-2-ext
ip6 saddr $n6_ext ip6 daddr $n6_dmz ct state new jump
ext-2-dmz
}
chain int-2-dmz {
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
ip saddr $g_h_int_DNS ip daddr $g_h_dmz_DNS udp dport 53
accept
#...
}
#...
}
The file rules.nft contains all variable definitions:
#########################
# Interface definitions #
#########################
define i_local = lo
define i_int = eth1
define i_dmz = eth2
define i_ext = eth0
*define s-ext-2-int = 10.10.10.10 . 25*
#######################
# Network definitions #
#######################
# Internal segments
define n_int = 10.10.10.0/24
define n_int_cluster = 10.10.20.0/24
#...
I can use the variables as expected, except for named sets. Using only
one element in s-ext-2-int is working properly, but as soon as I add a
second element to the variable definition like this:*
*
*define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*
I receive the following error while loading the rules using nft -f:
In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
/opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
comma, expecting newline or semicolon
n_int tcp dport 22 ct state new accept
^
In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
/opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
's-ext-2-int'
elements = { $s-ext-2-int }
^^^^^^^^^^^
Is it possible to use variables for named sets, maps, etc. or is this
currently not possible?
Kind regards,
Andreas
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables: Using variables in named sets
2016-08-29 11:37 nftables: Using variables in named sets Andreas Hainke
@ 2016-08-29 16:04 ` Pablo Neira Ayuso
2016-09-06 9:55 ` Andreas Hainke
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-29 16:04 UTC (permalink / raw)
To: Andreas Hainke; +Cc: netfilter
Hi Andreas,
On Mon, Aug 29, 2016 at 01:37:20PM +0200, Andreas Hainke wrote:
> Hi,
>
> I have a question regarding the definition of variables in nft. I have
> created two files rules.nft and definitions.nft. The file rules.nft
> contains a ruleset as follows:
>
> include "/opt/firewall/filter/definitions.nft"
> table inet forward {
> * set s-ext-2-int {**
> ** type ipv4_addr . inet_service**
> ** elements = { $s-ext-2-int }**
> ** }*
>
> chain segments {
> type filter hook forward priority 0; policy drop;
> ct state established, related accept
>
> ip saddr $g_n_int ip daddr $n_dmz ct state new jump
> int-2-dmz
> ip saddr $n_dmz ip daddr $g_n_int ct state new jump
> dmz-2-int
> ip saddr $g_n_int ip daddr $n_ext ct state new jump
> int-2-ext
> ip saddr $n_ext ip daddr $g_n_int ct state new jump
> ext-2-int
Not related, but you can represent this is a more performance way
using maps, just a simplification of the ruleset above:
define g_n_int = 1.1.1.1
define n_dmz = 2.2.2.2
define n_ext = 3.3.3.3
table inet forward {
chain int-2-dmz {
}
chain dmz-2-int {
}
chain int-2-ext {
}
chain ext-2-int {
}
chain segments {
ct state new ip saddr . ip saddr vmap { \
$g_n_int . $n_dmz : jump int-2-dmz, \
$n_dmz . $g_n_int : jump dmz-2-int, \
$g_n_int . $n_ext : jump int-2-ext, \
$n_ext . $g_n_int : jump ext-2-int
}
}
}
This is very fast as we use concatenations and maps to find the
destination chain to jump in O(1), this is scales up nicely.
[...]
> I can use the variables as expected, except for named sets. Using only
> one element in s-ext-2-int is working properly, but as soon as I add a
> second element to the variable definition like this:*
> *
>
> *define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*
>
> I receive the following error while loading the rules using nft -f:
>
>
> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
> /opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
> comma, expecting newline or semicolon
> n_int tcp dport 22 ct state new accept
> ^
> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
> /opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
> 's-ext-2-int'
> elements = { $s-ext-2-int }
> ^^^^^^^^^^^
>
> Is it possible to use variables for named sets, maps, etc. or is this
> currently not possible?
I've submitted a patch for nft that I have tested with:
define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
table inet forward {
set s-ext-2-int {
type ipv4_addr . inet_service
elements = $s-ext-2-int
}
}
http://patchwork.ozlabs.org/project/netfilter-devel/list/
Thanks for reporting.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables: Using variables in named sets
2016-08-29 16:04 ` Pablo Neira Ayuso
@ 2016-09-06 9:55 ` Andreas Hainke
0 siblings, 0 replies; 3+ messages in thread
From: Andreas Hainke @ 2016-09-06 9:55 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 3214 bytes --]
Hi Pablo,
thank you for the patch and the hint regarding the simplification of the
ruleset. It's now working as expected.
Kind regards,
Andreas
Am 29.08.2016 um 18:04 schrieb Pablo Neira Ayuso:
> Hi Andreas,
>
> On Mon, Aug 29, 2016 at 01:37:20PM +0200, Andreas Hainke wrote:
>> Hi,
>>
>> I have a question regarding the definition of variables in nft. I have
>> created two files rules.nft and definitions.nft. The file rules.nft
>> contains a ruleset as follows:
>>
>> include "/opt/firewall/filter/definitions.nft"
>> table inet forward {
>> * set s-ext-2-int {**
>> ** type ipv4_addr . inet_service**
>> ** elements = { $s-ext-2-int }**
>> ** }*
>>
>> chain segments {
>> type filter hook forward priority 0; policy drop;
>> ct state established, related accept
>>
>> ip saddr $g_n_int ip daddr $n_dmz ct state new jump
>> int-2-dmz
>> ip saddr $n_dmz ip daddr $g_n_int ct state new jump
>> dmz-2-int
>> ip saddr $g_n_int ip daddr $n_ext ct state new jump
>> int-2-ext
>> ip saddr $n_ext ip daddr $g_n_int ct state new jump
>> ext-2-int
> Not related, but you can represent this is a more performance way
> using maps, just a simplification of the ruleset above:
>
> define g_n_int = 1.1.1.1
> define n_dmz = 2.2.2.2
> define n_ext = 3.3.3.3
>
> table inet forward {
> chain int-2-dmz {
> }
> chain dmz-2-int {
> }
> chain int-2-ext {
> }
> chain ext-2-int {
> }
>
> chain segments {
> ct state new ip saddr . ip saddr vmap { \
> $g_n_int . $n_dmz : jump int-2-dmz, \
> $n_dmz . $g_n_int : jump dmz-2-int, \
> $g_n_int . $n_ext : jump int-2-ext, \
> $n_ext . $g_n_int : jump ext-2-int
> }
> }
> }
>
> This is very fast as we use concatenations and maps to find the
> destination chain to jump in O(1), this is scales up nicely.
>
> [...]
>> I can use the variables as expected, except for named sets. Using only
>> one element in s-ext-2-int is working properly, but as soon as I add a
>> second element to the variable definition like this:*
>> *
>>
>> *define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*
>>
>> I receive the following error while loading the rules using nft -f:
>>
>>
>> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
>> /opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
>> comma, expecting newline or semicolon
>> n_int tcp dport 22 ct state new accept
>> ^
>> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
>> /opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
>> 's-ext-2-int'
>> elements = { $s-ext-2-int }
>> ^^^^^^^^^^^
>>
>> Is it possible to use variables for named sets, maps, etc. or is this
>> currently not possible?
> I've submitted a patch for nft that I have tested with:
>
> define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
>
> table inet forward {
> set s-ext-2-int {
> type ipv4_addr . inet_service
> elements = $s-ext-2-int
> }
> }
>
> http://patchwork.ozlabs.org/project/netfilter-devel/list/
>
> Thanks for reporting.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-09-06 9:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-29 11:37 nftables: Using variables in named sets Andreas Hainke
2016-08-29 16:04 ` Pablo Neira Ayuso
2016-09-06 9:55 ` Andreas Hainke
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox