On Thu, Sep 15, 2016 at 02:13:55PM +0200, Andreas Hainke wrote:
> Hello,
>
> does anybody know if it's possible to use intervals inside of maps?
> Pablo already pointed out that it is possible to use maps as follows to
> handle rule processing more efficient:
>
> nft add rule test myChain ip saddr . ip daddr vmap { 10.10.10.15 .
> 10.10.20.5 : accept, 10.10.10.1 . 10.10.20.1 : accept}
>
> table ip test {
> chain myChain {
> ip saddr . ip daddr vmap { 10.10.10.15 . 10.10.20.5 : accept,
> 10.10.10.1 . 10.10.20.1 : accept}
> }
> }
>
> If I try to use intervals in maps the same way, I receive the following
> output:
>
> root@fw:~# nft add rule test myChain ip saddr . ip daddr vmap {
> 10.10.10.0/24 . 10.10.20.0/24 : accept }
> <cmdline>:1:64-64: Error: syntax error, unexpected ., expecting colon
> add rule test myChain ip saddr . ip daddr vmap { 10.10.10.0/24 .
> 10.10.20.0/24 : accept }
Please, give a try to this:
# nft add rule test myChain \
ip saddr and 255.255.255.0 . ip daddr and 255.255.255.0 \
vmap { 10.10.10.0 . 10.10.20.0 : accept }
Note that this is not an interval, this is masking the ip saddr and ip
daddr, then concate both results. This concatenation is used to lookup
for a matching of this the result in the map.
Using a named set, you can do:
# nft add map test myMap { type ipv4_addr . ipv4_addr : verdict \; }
# nft add rule test myChain \
ip saddr and 255.255.255.0 . ip saddr and 255.255.255.0 vmap @myMap
# nft add element test myMap { 10.10.10.0 . 10.10.20.0 : accept }
It should be easy to provide a more compact syntax using prefixes, eg.
ip saddr /24. I have a patch for this in a branch but I need to finish
the listing side to print a prefix from there too.
P.S: It would be great if anyone can add this to the nftables wiki.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
