Re: Moving from ipset to nftables: Sets not ready for prime time yet?

trentbuck@xxxxxxxxx (Trent W. Buck) · Wed, 08 Jul 2020 17:51:01 +1000

Reindl Harald <h.reindl@xxxxxxxxxxxxx> writes:

> Am 03.07.20 um 09:04 schrieb G.W. Haywood:
>> On Fri, 3 Jul 2020, Timo Sigurdsson wrote:
>> 
>>> ... I use ipsets for blacklisting.
>>>     I fetch blacklists from various sources
>>> ... This approach has worked for me for quite some time.
>>> ... some of my blacklists may contain the same addresses or ranges,
>>>     I use ipsets' -exist switch when loading
>>> ... I don't think that the use case is that extraordinary ...
>> 
>> +6
>> 
>> FWIW I'll be following this thread very closely.
>
> it turned out at least with recent kernel and recent userland
> "iptables-nft" can fully replace "iptables" and continue to use "ipset"
> unchanged

I tested this and you're right - it is working.  This surprised me!

I saw these "commented out" rules in iptables-translate, where
I (wrongly) assumed that meant the rule was completely inactive.

    bash5$ sudo ip netns add delete-me
    bash5$ sudo ip netns exec delete-me bash
    bash5# nft list ruleset
    bash5# ipset create xs hash:ip
    bash5# iptables-nft -N x
    bash5# iptables-nft -A x -m set --match-set xs dst
    bash5# iptables-nft-save
    # Generated by xtables-save v1.8.3 on Wed Jul  8 17:30:56 2020
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :x - [0:0]
    -A x -m set --match-set xs dst 
    COMMIT
    # Completed on Wed Jul  8 17:30:56 2020
    bash5# nft list chain filter x
    table ip filter {
            chain x {
                    # match-set xs dst counter packets 0 bytes 0
            }
    }

Testing shows it IS matching, so
the only limitation is you must create the ruleset using
iptables-nft-restore (old syntax) instead of
nft (new syntax).

    bash5# iptables-nft -A OUTPUT -m set --match-set xs dst -j REJECT
    bash5# ip link set dev lo up
    bash5# ip a add 127.0.0.1/8 brd + dev lo
    bash5# iptables-nft-save -c
    ⋮
    [0:0] -A OUTPUT -m set --match-set xs dst -j REJECT --reject-with icmp-port-unreachable
    ⋮
    bash5# ping -c1 127.0.0.1
    ping: sendmsg: Operation not permitted
    bash5# iptables-nft-save -c
    ⋮
    [2:196] -A OUTPUT -m set –match-set xs dst -j REJECT –reject-with icmp-port-unreachable
    ⋮
    bash5# nft list chain filter OUTPUT
    ⋮
                    # match-set xs dst counter packets 2 bytes 196 reject
    ⋮