* How to concatenate subnet with port in a set?
@ 2021-03-16 15:34 etkaar
2021-03-16 16:04 ` Frank Myhr
0 siblings, 1 reply; 3+ messages in thread
From: etkaar @ 2021-03-16 15:34 UTC (permalink / raw)
To: netfilter
Hello!
I am currently using <nftables v0.9.0 (Fearless Fosdick)> on Debian 10 (Buster). For a whitelist, I thought about a set like this:
1> set whitelist_ipv4_tcp {2> type inet_service . ipv4_addr3> elements = {4> 22 . 255.255.255.255,5> 22 . 255.255.255.0/246> }7> }
You can see, that on line 5 I used a port concatenated by an IPv4 subnet. Unfortunately, this will not work. I could use subnets, but only as a simple unconcatenated set.
My question is: When will it be possible to concatenate subnets with different types such as inet_service (= port) in sets? Or is it already possible in a newer version than 0.9.0?
--etkaar
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to concatenate subnet with port in a set?
@ 2021-03-16 15:52 etkaar
0 siblings, 0 replies; 3+ messages in thread
From: etkaar @ 2021-03-16 15:52 UTC (permalink / raw)
To: netfilter
Sorry, the code was unprettified in my initial email:
1> set whitelist_ipv4_tcp {
2> type inet_service . ipv4_addr
3> elements = {
4> 22 . 255.255.255.255,
5> 22 . 255.255.255.0/24
6> }
7> }
--etkaar
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to concatenate subnet with port in a set?
2021-03-16 15:34 How to concatenate subnet with port in a set? etkaar
@ 2021-03-16 16:04 ` Frank Myhr
0 siblings, 0 replies; 3+ messages in thread
From: Frank Myhr @ 2021-03-16 16:04 UTC (permalink / raw)
To: lists.netfilter.org+0cvssbcc2j, netfilter
On 2021/03/16 11:34, etkaar wrote:
> Hello!
> I am currently using <nftables v0.9.0 (Fearless Fosdick)> on Debian 10 (Buster). For a whitelist, I thought about a set like this:
> 1> set whitelist_ipv4_tcp {2> type inet_service . ipv4_addr3> elements = {4> 22 . 255.255.255.255,5> 22 . 255.255.255.0/246> }7> }
> You can see, that on line 5 I used a port concatenated by an IPv4 subnet. Unfortunately, this will not work. I could use subnets, but only as a simple unconcatenated set.
> My question is: When will it be possible to concatenate subnets with different types such as inet_service (= port) in sets? Or is it already possible in a newer version than 0.9.0?
Hi Etkaar,
https://marc.info/?l=netfilter&m=158575148505527&w=2
nftables 0.9.4 / Linux kernel 5.6 added support for ranges in
concatenations.
Best Wishes,
Frank
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-16 16:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-16 15:34 How to concatenate subnet with port in a set? etkaar
2021-03-16 16:04 ` Frank Myhr
-- strict thread matches above, loose matches on Subject: below --
2021-03-16 15:52 etkaar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox