On Wed, Jan 13, 2016 at 07:35:09PM +0000, Asbjørn Sloth Tønnesen wrote:
> Hi,
>
> I have been trying to migrate an ipset net:hash set to a nftables set.
> I don't need the nomatch feature of ipset net:hash, a set with network
> prefixes should do just fine. I do need it as a named set through.
>
> A plain type ipv4_addr set can only hold individual addresses, so
> that doesn't work with network prefixes.
>
> I found the flags interval in the bison code, and so I tried
> to test if that would work.
>
> # nft add table testtbl
> # nft add set testtbl testset { type ipv4_addr\; flags interval\; }
> # nft add element testtbl testset { 192.168.3.0/24 }
> > BUG: invalid data expression type prefix
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0-192.168.3.255 }
> > BUG: invalid data expression type range
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0, 192.168.3.255 }
> # nft list tables
> > Segmentation fault
> # nft flush ruleset
> > Segmentation fault
>
> How was the interval flag intended to work?
Just posted several patches on the mailing list, it would be good if
you can intensively test them. They apply on top of the current git
tree.
BTW, deletion is not implemented in nft, but I think it should be easy
to follow up with a patch to make it.
> It would be great if the ipset article on the wiki, could have some info
> on how to migrate separate ipset types to nftables set types.
Would you like to start such article? I can create an account in the
wiki page too, it would be a nice contribution.
Let me know,
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
