Hello, Netfilter-devel.
I tried to make autoload rules to nftables.
First, I created file with set of ipv4 addresses and apply it:
yacudzer@adm-ovpn-03:/etc/nftables$ cat OpenVPN_set_PRD-RMQ-star.nft
table ip filter {
set OpenVPN_set_PRD-RMQ-star {
type ipv4_addr
elements = {
10.22.0.62, 10.22.0.93, 10.22.0.95
}
}
}
yacudzer@adm-ovpn-03:/etc/nftables$ sudo nft -f OpenVPN_set_PRD-RMQ-star.nft
Then, I created file with applying this set:
yacudzer@adm-ovpn-03:/etc/nftables$ cat ovpn-RabbitMQ.nft
add chain filter OpenVPN-RabbitMQ
flush chain filter OpenVPN-RabbitMQ
table ip filter {
set OpenVPN_set_PRD-RMQ-star {
type ipv4_addr
elements = {
10.22.0.62, 10.22.0.93, 10.22.0.95
}
}
chain OpenVPN-RabbitMQ {
ip daddr @OpenVPN_set_PRD-RMQ-star accept
return
}
}
And when I tried to apply it, I see this error message:
yacudzer@adm-ovpn-03:/etc/nftables$ sudo nft -f ovpn-RabbitMQ.nft
ovpn-RabbitMQ.nft:6:26-50: Error: Set 'OpenVPN_set_PRD-RMQ-star' does not exist
ip daddr @OpenVPN_set_PRD-RMQ-star accept
^^^^^^^^^^^^^^^^^^^^^^^^^
If I place set rule in same file - everything OK:
yacudzer@adm-ovpn-03:/etc/nftables$ cat ovpn-RabbitMQ.nft
add chain filter OpenVPN-RabbitMQ
flush chain filter OpenVPN-RabbitMQ
table ip filter {
set OpenVPN_set_PRD-RMQ-star {
type ipv4_addr
elements = {
10.22.0.62, 10.22.0.93, 10.22.0.95
}
}
chain OpenVPN-RabbitMQ {
ip daddr @OpenVPN_set_PRD-RMQ-star accept
return
}
}
yacudzer@adm-ovpn-03:/etc/nftables$ sudo nft -f ovpn-RabbitMQ.nft
But error only when set and rule in different files.
I think that it a bug.
I tried versions 0.9.0 (in debian repo) and 0.9.6 (compiled manually).
--
С уважением,
Evgeniy mailto:yacudzer@xxxxxxx
