On Sun, Oct 23, 2016 at 09:38:22PM +0200, Leon Merten Lohse wrote:
> Hi,
>
> is there a way to migrate a hash:net type ipset to nftables?
> We use this to implement a blacklist where we block a large number of
> networks.
>
> I tried using a type ipv4_addr named set as follows:
>
> flush ruleset
> table inet filter {
> set blacklist_v4 { type ipv4_addr; }
> }
> add element inet filter blacklist_v4 { 10.0.0.0/8 }
>
> However, this results in:
> Error: Set member cannot be prefix, missing interval flag on declaration
> add element inet filter blacklist_v4 { 10.0.0.0/8 }
> ^^^^^^^^^^
> Is ipv4_addr the wrong type in this case? I could not find any
> documentation on it.
> Using networks in anonymous sets seems to work flawlessly.
Missing "flags interval;" here, so this should be:
table inet filter {
set blacklist_v4 { type ipv4_addr; flags interval; }
}
With named sets, you have to specify this flag since the kernel uses
to select what is the best data structure uses to represent what you
need.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
