Hi Pablo,
thank you for the patch and the hint regarding the simplification of the
ruleset. It's now working as expected.
Kind regards,
Andreas
Am 29.08.2016 um 18:04 schrieb Pablo Neira Ayuso:
> Hi Andreas,
>
> On Mon, Aug 29, 2016 at 01:37:20PM +0200, Andreas Hainke wrote:
>> Hi,
>>
>> I have a question regarding the definition of variables in nft. I have
>> created two files rules.nft and definitions.nft. The file rules.nft
>> contains a ruleset as follows:
>>
>> include "/opt/firewall/filter/definitions.nft"
>> table inet forward {
>> * set s-ext-2-int {**
>> ** type ipv4_addr . inet_service**
>> ** elements = { $s-ext-2-int }**
>> ** }*
>>
>> chain segments {
>> type filter hook forward priority 0; policy drop;
>> ct state established, related accept
>>
>> ip saddr $g_n_int ip daddr $n_dmz ct state new jump
>> int-2-dmz
>> ip saddr $n_dmz ip daddr $g_n_int ct state new jump
>> dmz-2-int
>> ip saddr $g_n_int ip daddr $n_ext ct state new jump
>> int-2-ext
>> ip saddr $n_ext ip daddr $g_n_int ct state new jump
>> ext-2-int
> Not related, but you can represent this is a more performance way
> using maps, just a simplification of the ruleset above:
>
> define g_n_int = 1.1.1.1
> define n_dmz = 2.2.2.2
> define n_ext = 3.3.3.3
>
> table inet forward {
> chain int-2-dmz {
> }
> chain dmz-2-int {
> }
> chain int-2-ext {
> }
> chain ext-2-int {
> }
>
> chain segments {
> ct state new ip saddr . ip saddr vmap { \
> $g_n_int . $n_dmz : jump int-2-dmz, \
> $n_dmz . $g_n_int : jump dmz-2-int, \
> $g_n_int . $n_ext : jump int-2-ext, \
> $n_ext . $g_n_int : jump ext-2-int
> }
> }
> }
>
> This is very fast as we use concatenations and maps to find the
> destination chain to jump in O(1), this is scales up nicely.
>
> [...]
>> I can use the variables as expected, except for named sets. Using only
>> one element in s-ext-2-int is working properly, but as soon as I add a
>> second element to the variable definition like this:*
>> *
>>
>> *define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143*
>>
>> I receive the following error while loading the rules using nft -f:
>>
>>
>> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
>> /opt/firewall/filter/rules.nft:9:38-38: Error: syntax error, unexpected
>> comma, expecting newline or semicolon
>> n_int tcp dport 22 ct state new accept
>> ^
>> In file included from /opt/firewall/filter/ruleset.nft:2:1-41:
>> /opt/firewall/filter/rules.nft:19:32-42: Error: unknown identifier
>> 's-ext-2-int'
>> elements = { $s-ext-2-int }
>> ^^^^^^^^^^^
>>
>> Is it possible to use variables for named sets, maps, etc. or is this
>> currently not possible?
> I've submitted a patch for nft that I have tested with:
>
> define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
>
> table inet forward {
> set s-ext-2-int {
> type ipv4_addr . inet_service
> elements = $s-ext-2-int
> }
> }
>
> http://patchwork.ozlabs.org/project/netfilter-devel/list/
>
> Thanks for reporting.
Attachment:
signature.asc
Description: OpenPGP digital signature
