Hello,
we are in the process of migrating our OpenVPN-Gateways from iptables to nftables. Our motivation: since we have user-individual rulesets for each user, we have some issues with iptables with the sequential processing and (what is the bigger issue) the global locking when the ruleset changes, which happens every time a user logs in or out. Therefore, we decided to switch to nftables with the atomic updates.
In this process we are currently trying to convert the ruleset from the sequential iptables-way, to the nftables "set/combined-sets" method of matching packets.
We build combined sets for the user in this way (as an example for TCP only):
table ip openvpn {
set user-username_tcp {
typeof ip daddr . tcp dport;
flags interval;
auto-merge;
}
}
Now we have the problem, that some user-rulesets have overlapping rules. These are granted due to different rule-groups the user is member of. i.e. the user has this rule from group A:
- 123.45.6.0/24 . 80 # (http to the whole network)
and this from group B:
- 123.45.6.7 . 80 # (http to just one host)
Then our parser combines both into the set with
elements = {
123.45.6.0/24 . 80,
123.45.6.7 . 80,
}
When installing this we get
./debug_username.nft:4:7-23: Error: Could not process rule: File exists
set user-username_tcp {
^^^^^^^^^^^^^^^^^
This isn't "auto-merged" as we expected. To make it a little more complex, we have network-ranges and port-ranges on some rules. Therefore, the auto-merge would have to "unroll" and merge both parts.
Is there any way to achieve this combined-sets with auto-merge?
(To get around this, one could check if host, networks, port-ranges or ports overlap, and discard the "smaller" definition. But this could also be done by auto-merge, if I understand the feature correctly).
Regards,
Christian
--
Charité – Universitätsmedizin Berlin
Business division IT | Dept. Network
Campus Charité Benjamin Franklin (CBF)
Hindenburgdamm 30 | 12200 Berlin
