On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> Hello,
>
> As of nftables 0.8.1, it seems I can no longer write anonymous sets
> which contain overlapping networks (CIDR masks).
>
> For example, I want to write the following ruleset:
>
> #!/usr/bin/nft -f
> define users = { 10.0.0.0/8, 193.219.181.192/26 }
> define admins = { 10.123.0.0/24, 31.220.42.129 }
> define allowed = { $users, $admins }
> table inet filter {
> chain foobar {
> ip saddr $allowed accept
> }
> }
>
> results in an error message:
>
> Error: interval overlaps with previous one
>
> I noticed a few nftables.git commits related to disabling auto-merge
> for interval sets... but mine don't have the 'interval' flag, and
> there doesn't seem to be any way to specify 'auto-merge' for anonymous
> sets, either.
I would like not to enable this by default since typo in rulesets
could go through unnoticed.
So the two alternatives I see are:
1) add per-table configuration options, this would allow us to
enable auto-merge explicitly for all anonymous sets. This is also
required if we want to allow user to select "policy memory;" for
anonymous sets. Only problem with this approach is that this needs
a kernel patch, so it will take a while to restore the behaviour you
want since we need a new NFTA_TABLE_USERDATA attribute to store user
preferences on this.
2) We add a -m option that we can combine with -f for this, which
globally enables auto-merge for every set, including anonymous and
named sets.
Let me know.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
