nftables: No prefixes in anonymous sets?

nftables: No prefixes in anonymous sets?

[Jan-Philipp Litza]

Hi everyone,

surely not only for me, sets were one of the main reasons to switch from
iptables to nftables. However, I was very disappointed that anonymous IP
address sets don't support prefixes (ranges):

/etc/nftables.conf:5:20-29: Error: Set member cannot be prefix, missing
interval flag on declaration
        ip saddr { 8.8.8.8/32, 1.1.1.1/32 }  drop
                   ^^^^^^^^^^

Poking around in the source code, I found the relevant line [1] that
explicitly checks for anonymous sets. Apparently it was added in [2] to
give the user a better error message that some "BUG".

But couldn't you also simply (or maybe not so simply) "upgrade" the
anonymous set to an interval-capable set when you encounter a prefix?
Or, if this is totally impossible, maybe add a syntax to explicitly give
anonymous sets the interval flag? Or are anonymous sets inside the
kernel itself somehow incapable of containing prefixes?

Also, why isn't this message triggerd by something like "tcp dport {
22-23, 80, 443 }"? Isn't this a range in an anonymous set as well?

Best regards,
Jan-Philipp Litza

PS: Not on the list, so please CC me directly.

[1]: https://git.netfilter.org/nftables/tree/src/evaluate.c#n1298
[2]:
https://git.netfilter.org/nftables/commit/src/evaluate.c?id=3f84f4ad0568f22106f283a3077a85957e83fe57
-- 
Jan-Philipp Litza
PLUTEX GmbH
Hermann-Ritter-Str. 108
28197 Bremen

Hotline: 0800 100 400 800
Telefon: 0800 100 400 821
Telefax: 0800 100 400 888
E-Mail: support@plutex.de
Internet: http://www.plutex.de

USt-IdNr.: DE 815030856
Handelsregister: Amtsgericht Bremen, HRB 25144
Geschäftsführer: Torben Belz, Hendrik Lilienthal

Re: nftables: No prefixes in anonymous sets?

[Florian Westphal]

Jan-Philipp Litza <jpl+direct@plutex.de> wrote:
> Hi everyone,
> 
> surely not only for me, sets were one of the main reasons to switch from
> iptables to nftables. However, I was very disappointed that anonymous IP
> address sets don't support prefixes (ranges):

They do...

> /etc/nftables.conf:5:20-29: Error: Set member cannot be prefix, missing
> interval flag on declaration
>         ip saddr { 8.8.8.8/32, 1.1.1.1/32 }  drop
                    ^^^^^^^^^^

Which nft and libnftnl versions are this?

This code is taken for non-anon sets.

> Poking around in the source code, I found the relevant line [1] that
> explicitly checks for anonymous sets. Apparently it was added in [2] to
> give the user a better error message that some "BUG".

Note the ! -- this check is done for named sets.

> But couldn't you also simply (or maybe not so simply) "upgrade" the
> anonymous set to an interval-capable set when you encounter a prefix?

Thats what is supposed to happen already.

> Also, why isn't this message triggerd by something like "tcp dport {
> 22-23, 80, 443 }"? Isn't this a range in an anonymous set as well?

Yes, its a range.

Re: nftables: No prefixes in anonymous sets?

[Jan-Philipp Litza]

Florian Westphal wrote:
> Which nft and libnftnl versions are this?
> 
> This code is taken for non-anon sets.
> 
> Note the ! -- this check is done for named sets.

I'm totally confused and ashamed right now.

Of course that code is only taken for named sets. And trying to
reproduce the bug again, it works flawlessly with the exact . So either
this is a Heisenbug, or I was even more confused when writing my
original mail. I cannot tell.

In case it matters anyway: This happened (and then worked) on Debian
Buster, libnl-3-200 version 3.4.0-1 and nftables version 0.9.0-2

Sorry to waste your time!

-- 
Jan-Philipp Litza
PLUTEX GmbH
Hermann-Ritter-Str. 108
28197 Bremen

Hotline: 0800 100 400 800
Telefon: 0800 100 400 821
Telefax: 0800 100 400 888
E-Mail: support@plutex.de
Internet: http://www.plutex.de

USt-IdNr.: DE 815030856
Handelsregister: Amtsgericht Bremen, HRB 25144
Geschäftsführer: Torben Belz, Hendrik Lilienthal