On 7 September 2015 at 20:50, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Sun, Sep 06, 2015 at 07:52:47PM +0100, Wilmer van der Gaast wrote: >> Hello, >> >> The "inet" family is a great idea for unifying IPv4 and IPv6 >> firewalling, but I just ran into one thing I'm missing. >> >> nft lets me define sets with both IPv4 and IPv6 addresses, but once >> I try using them things go wrong - I assume this means that the >> addresses aren't actually parsed until that point? >> >> I can invoke the set from an ip match, and it will complain about >> IPv6 addresses in the list being invalid. And vice versa, invoke the >> set from an "ip6" match and the IPv4 addresses will cause parse >> errors. >> >> Would it be possible to either have an "inet" match rule, or tell >> nft to skip unknown address families so I could just invoke the set >> twice, once using "ip" and once using "ip6" match rule, without >> running into syntax errors? >> >> I could of course just define two separate sets to get something >> similar to my alternative idea, and maybe I'll try that, but it gets >> kludgier that way. :-( > > Could you illustrate with examples what you would like to have and the > limitations you currently hitting? > I guess Wilmer is talking about multi-datatype sets (IPv4 and IPv6 mixed addresses). That would be a nice feature indeed. @Wilmer: AFAIK thats not possible by now. It would require some changes in the kernel. Among other things, IPv4 and IPv6 addresses have different lengths. I guess it would require a special syntax in userspace for the anon-set case as well. This seems to be the expected behaviour right now: # nft add rule inet filter input ip6 saddr @ipv4_set <cmdline>:1:38-42: Error: datatype mismatch, expected IPv6 address, set has type IPv4 address -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
