Hello, Netfilter list. I'll start by thanking the Netfilter team for
nftables; this is a fascinating project, and I'm enjoying my studies
of it. I write because I believe I have found a discrepancy between
anonymous sets and named sets, and I wish to inquire further.
It seems that anonymous sets having IP/mask notation are classified as
type ipv4_addr, shown in example one below. It also seems that named
sets of type ipv4_addr cannot leverage the same notation, shown in
example two below. Is this intended?
I included some rudimentary version data for my Gentoo host. Please
advise if more information is needed, and thank you.
Regards,
Garrett
Version Info
-----------------
bash# nft --version
nftables v0.5 (Support Edward Snowden)
bash# uname -srp
Linux 4.4.4 AMD GX-420CA SOC with Radeon(tm) HD Graphics
*monolithic kernel
*NFtables enabled and built-in
*iptables and xtables disabled
*libnftnl 1.0.5
*libmnl 1.0.3
Example One - Anonymous Set with Subnet
-------------------
nft -i
nft> add rule filter input meta iifname "eth1" ip saddr {
10.0.0.0/8,192.168.0.0/16 } counter log drop
nft> list sets
set set0 {
type ipv4_addr
flags constant,interval
elements = { 10.0.0.0/8, 192.168.0.0/16}
}
Example Two - Named Set, type ipv4_addr, Subnet Add Fails
-------------------
nft -i
nft> add set filter rfc1918 { type ipv4_addr;}
nft> add element filter rfc1918 { 172.16.0.0/12 }
*** nft: netlink.c:326: netlink_gen_data: Assertion '0' failed. ***
nft -i
nft> list sets
set rfc1918 {
type ipv4_addr
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
