nftables: Using variables in named sets

Andreas Hainke <andreas.hainke@xxxxxxxxxxxx> · Mon, 29 Aug 2016 13:37:20 +0200

Hi,

I have a question regarding the definition of variables in nft. I have
created two files rules.nft and definitions.nft. The file rules.nft 
contains a ruleset as follows:

include "/opt/firewall/filter/definitions.nft"
table inet forward {
*        set s-ext-2-int {**
**                type ipv4_addr . inet_service**
**                elements =  { $s-ext-2-int }**
**        }*

        chain segments {
                type filter hook forward priority 0; policy drop;
                ct state established, related accept

                ip saddr $g_n_int ip daddr $n_dmz ct state new jump
int-2-dmz
                ip saddr $n_dmz ip daddr $g_n_int ct state new jump
dmz-2-int
                ip saddr $g_n_int ip daddr $n_ext ct state new jump
int-2-ext
                ip saddr $n_ext ip daddr $g_n_int ct state new jump
ext-2-int
                ip saddr $n_dmz ip daddr $n_ext ct state new jump dmz-2-ext
                ip saddr $n_ext ip daddr $n_dmz ct state new jump ext-2-dmz

                ip6 saddr $g6_n_int ip6 daddr $n6_dmz ct state new jump
int-2-dmz
                ip6 saddr $n6_dmz ip6 daddr $g6_n_int ct state new jump
dmz-2-int
                ip6 saddr $g6_n_int ip6 daddr $n6_ext ct state new jump
int-2-ext
                ip6 saddr $n6_ext ip6 daddr $g6_n_int ct state new jump
ext-2-int
                ip6 saddr $n6_dmz ip6 daddr $n6_ext ct state new jump
dmz-2-ext
                ip6 saddr $n6_ext ip6 daddr $n6_dmz ct state new jump
ext-2-dmz
        }
        chain int-2-dmz {
                ip protocol icmp accept
                ip6 nexthdr ipv6-icmp accept
                ip saddr $g_h_int_DNS ip daddr $g_h_dmz_DNS udp dport 53
accept
               #...
        }
    #...
}

The file rules.nft contains all variable definitions:

#########################
# Interface definitions #
#########################
define i_local = lo
define i_int = eth1
define i_dmz = eth2
define i_ext = eth0

*define s-ext-2-int = 10.10.10.10 . 25*

#######################
# Network definitions #
#######################
# Internal segments
define n_int = 10.10.10.0/24
define n_int_cluster = 10.10.20.0/24
#...

I can use the variables as expected, except for named sets. Using only
one element in s-ext-2-int is working properly, but as soon as I add a
second element to the variable definition like this:*
*

*define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*

I receive the following error while loading the rules using nft -f:

In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
/opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
comma, expecting newline or semicolon
n_int tcp dport 22 ct state new accept
                                     ^
In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
/opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
's-ext-2-int'
        elements =  { $s-ext-2-int }
                               ^^^^^^^^^^^

Is it possible to use variables for named sets, maps, etc. or is this
currently not possible?

Kind regards,

Andreas

Attachment:
signature.asc

Description: OpenPGP digital signature