On Tue, Dec 13, 2016 at 08:06:27PM -0800, Mark Morgan wrote:
> Great ideas, thank you both. I tried Pablo's suggestion and have an
> error. Here's what it looks like:
>
> # nftables.conf
> include "/etc/nftables.country-block"
> table inet filter {
> set country-block {
> type ipv4_addr; flags interval;
> elements = $country_block_list
> }
> }
>
> # nftables.country-block
> define country_block_list = {
> 1.160.0.0/12, 1.192.0.0/13, 1.200.0.0/16, 1.202.0.0/15, 1.204.0.0/14,
> # .... many lines here
> 223.240.0.0/13, 223.4.0.0/14, 223.64.0.0/11
> }
>
> And when I try to reload nftables, I receive the error:
>
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]: /etc/nftables.conf:82:16-16:
> Error: syntax error, unexpected '$', expecting '{'
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]: elements = $country_block_list
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]: ^
>
> Did I do something wrong? Versions if it matters (Arch Linux):
>
> > uname -r -m
> 4.4.36-1-ec2-lts x86_64
> > nft --version
> nftables v0.6 (Support Edward Snowden)
This is fixed at git.netfilter.org, it would be great if you can test
this and confirm. We're preparing a release soon.
What I sent you works here.
> I tried Leon's suggested approach and it just coredumps:
>
> # nftables.conf
> table inet filter {
> set country-block {
> type ipv4_addr; flags interval;
> }
> }
> include "/etc/nftables.country-block"
>
> # nftables.country-block
> add element inet filter country-block {
> 1.160.0.0/12, 1.192.0.0/13, 1.200.0.0/16, 1.202.0.0/15, 1.204.0.0/14,
> # ... blah blah
> 223.240.0.0/13, 223.4.0.0/14, 223.64.0.0/11
> }
>
> -- Unit nftables.service has begun starting up.
> Dec 13 20:00:35 ip-172-31-46-95 kernel: nft[616]: segfault at 70 ip
> 000000000041d662 sp 00007ffc1b3f8db0 error 4 in nft[400000+56000]
> Dec 13 20:00:35 ip-172-31-46-95 systemd[1]: Started Process Core Dump
> (PID 618/UID 0).
> -- Subject: Unit systemd-coredump@2-618-0.service has finished start-up
>
> Also in case size is a possible issue, here's word count on my
> country-block file:
>
> > wc nftables.country-block
> 213 952 16532 nftables.country-block
>
> Skipping 10-15 words of meta information, that's approximately ~940
> CIDR blocks in the list.
>
> Should I try different versions of nftables or a newer kernel? Or for
> the core dumping issue, feel free to point me at some docs for how to
> capture useful debug information for the devs and I'm happy to read up
> and submit a bug report.
Yes, try newer libnftnl and nftables at git.netfilter.org and get back
to us if you still have problems.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
