nftables: Intervals inside of maps?

nftables: Intervals inside of maps?

[Andreas Hainke]

[-- Attachment #1.1: Type: text/plain, Size: 1531 bytes --]

Hello,

does anybody know if it's possible to use intervals inside of maps?
Pablo already pointed out that it is possible to use maps as follows to
handle rule processing more efficient:

nft add rule test myChain ip saddr . ip daddr vmap { 10.10.10.15 .
10.10.20.5 : accept, 10.10.10.1 . 10.10.20.1 : accept}

table ip test {
    chain myChain {
        ip saddr . ip daddr vmap { 10.10.10.15 . 10.10.20.5 : accept,
10.10.10.1 . 10.10.20.1 : accept}
    }
}



If I try to use intervals in maps the same way, I receive the following
output:

root@fw:~# nft add rule test myChain ip saddr . ip daddr vmap {
10.10.10.0/24 . 10.10.20.0/24 : accept }
<cmdline>:1:64-64: Error: syntax error, unexpected ., expecting colon
add rule test myChain ip saddr . ip daddr vmap { 10.10.10.0/24 .
10.10.20.0/24 : accept }
                                      
                                                              ^


I also tried to add a map using the flag interval which will be
converted into a set without a verdict like this:

root@fw:~# nft list ruleset
table ip test {
    chain myChain {
    }
}
root@fw:~# nft add map test myMap { type ipv4_addr . ipv4_addr : verdict
\; flags interval \; }
root@fw:~# nft list ruleset
table ip test {
    set myMap {
        type ipv4_addr . ipv4_addr
        flags interval
    }

    chain myChain {
    }
}
root@fw:~#


So I guess using intervals inside of maps is currently not supported, is
this correct?

Kind regards
Andreas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: nftables: Intervals inside of maps?

[Pablo Neira Ayuso]

On Thu, Sep 15, 2016 at 02:13:55PM +0200, Andreas Hainke wrote:
> Hello,
> 
> does anybody know if it's possible to use intervals inside of maps?
> Pablo already pointed out that it is possible to use maps as follows to
> handle rule processing more efficient:
> 
> nft add rule test myChain ip saddr . ip daddr vmap { 10.10.10.15 .
> 10.10.20.5 : accept, 10.10.10.1 . 10.10.20.1 : accept}
> 
> table ip test {
>     chain myChain {
>         ip saddr . ip daddr vmap { 10.10.10.15 . 10.10.20.5 : accept,
> 10.10.10.1 . 10.10.20.1 : accept}
>     }
> }
>
> If I try to use intervals in maps the same way, I receive the following
> output:
> 
> root@fw:~# nft add rule test myChain ip saddr . ip daddr vmap {
> 10.10.10.0/24 . 10.10.20.0/24 : accept }
> <cmdline>:1:64-64: Error: syntax error, unexpected ., expecting colon
> add rule test myChain ip saddr . ip daddr vmap { 10.10.10.0/24 .
> 10.10.20.0/24 : accept }

Please, give a try to this:

# nft add rule test myChain \
        ip saddr and 255.255.255.0 . ip daddr and 255.255.255.0 \
                vmap { 10.10.10.0 . 10.10.20.0 : accept }

Note that this is not an interval, this is masking the ip saddr and ip
daddr, then concate both results. This concatenation is used to lookup
for a matching of this the result in the map.

Using a named set, you can do:

# nft add map test myMap { type ipv4_addr . ipv4_addr : verdict \; }
# nft add rule test myChain \
        ip saddr and 255.255.255.0 . ip saddr and 255.255.255.0 vmap @myMap
# nft add element test myMap { 10.10.10.0 . 10.10.20.0 : accept }

It should be easy to provide a more compact syntax using prefixes, eg.
ip saddr /24. I have a patch for this in a branch but I need to finish
the listing side to print a prefix from there too.

P.S: It would be great if anyone can add this to the nftables wiki.