Re: Overlapping IP networks no longer allowed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> > Hello,
> > 
> > As of nftables 0.8.1, it seems I can no longer write anonymous sets
> > which contain overlapping networks (CIDR masks).
> > 
> > For example, I want to write the following ruleset:
> > 
> > #!/usr/bin/nft -f
> > define users = { 10.0.0.0/8, 193.219.181.192/26 }
> > define admins = { 10.123.0.0/24, 31.220.42.129 }
> > define allowed = { $users, $admins }
> > table inet filter {
> >         chain foobar {
> >                 ip saddr $allowed accept
> >         }
> > }
> > 
> > results in an error message:
> > 
> >     Error: interval overlaps with previous one
> > 
> > I noticed a few nftables.git commits related to disabling auto-merge
> > for interval sets... but mine don't have the 'interval' flag, and
> > there doesn't seem to be any way to specify 'auto-merge' for anonymous
> > sets, either.
> 
> I would like not to enable this by default since typo in rulesets
> could go through unnoticed.

nft add rule filter input ip protocol '{6 ,tcp }'
works just fine, eliminating duplicate set elements.
So I don't see how that is different from removing the redundant parts
of an anon set.

Especially with 'define' things I believe that automerge by default
is desireable.

> So the two alternatives I see are:
> 
> 1) add per-table configuration options, this would allow us to
>    enable auto-merge explicitly for all anonymous sets. This is also
>    required if we want to allow user to select "policy memory;" for
>    anonymous sets. Only problem with this approach is that this needs
>    a kernel patch, so it will take a while to restore the behaviour you
>    want since we need a new NFTA_TABLE_USERDATA attribute to store user
>    preferences on this.

Right.

> 2) We add a -m option that we can combine with -f for this, which
>    globally enables auto-merge for every set, including anonymous and
>    named sets.

What about doing automerge by default again for anon sets?

I know you don't like it but it restores old behaviour.
We could have a debug option that tells users which addresse(s) were
autoremoved.

The typo argument -- not sure its a valid:
Consider '10.0.0.01' (instead of .10), we don't try to be 'smart'
and thats a good thing.

For named sets, the no automerge makes sense because it seems like
we can't make any reasonable default choice when users try to delete
a no-longer existing (i.e. merged) element.

But that problem doesn't exist with constant (anon or not) sets.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux