Jan-Philipp Litza <jpl+direct@xxxxxxxxx> wrote:
> Hi everyone,
>
> surely not only for me, sets were one of the main reasons to switch from
> iptables to nftables. However, I was very disappointed that anonymous IP
> address sets don't support prefixes (ranges):
They do...
> /etc/nftables.conf:5:20-29: Error: Set member cannot be prefix, missing
> interval flag on declaration
> ip saddr { 8.8.8.8/32, 1.1.1.1/32 } drop
^^^^^^^^^^
Which nft and libnftnl versions are this?
This code is taken for non-anon sets.
> Poking around in the source code, I found the relevant line [1] that
> explicitly checks for anonymous sets. Apparently it was added in [2] to
> give the user a better error message that some "BUG".
Note the ! -- this check is done for named sets.
> But couldn't you also simply (or maybe not so simply) "upgrade" the
> anonymous set to an interval-capable set when you encounter a prefix?
Thats what is supposed to happen already.
> Also, why isn't this message triggerd by something like "tcp dport {
> 22-23, 80, 443 }"? Isn't this a range in an anonymous set as well?
Yes, its a range.
