Re: nft named set address types

Matt Zagrabelny <mzagrabe@xxxxxxxxx> · Tue, 2 Nov 2021 15:56:52 -0500

Hey Pablo!

On Tue, Nov 2, 2021 at 3:23 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Tue, Nov 02, 2021 at 02:39:33PM -0500, Matt Zagrabelny wrote:
> > Replying to myself...
> >
> > On Mon, Nov 1, 2021 at 3:46 PM Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
> > >
> > > Hello,
> > >
> > > I'd like to use the "inet" address family in a named set. I see nft
> > > supports the following address families [AF] (among others):
> > >
> > >        ip       IPv4 address family.
> > >
> > >        ip6      IPv6 address family.
> > >
> > >        inet     Internet (IPv4/IPv6) address
> > >                 family.
> >
> >
> > I'm not sure nftables even would allow an "inet" to be used in a rule such as:
> >
> > table inet filter {
> >     chain input {
> >         inet saddr { 127.0.0.1, ::1 } tcp dport 22 accept
> >     }
> > }
> >
> > Instead, it seems I must do:
> >
> > table inet filter {
> >     chain input {
>
> there is no chain definition here, this chain sees no traffic.

I've got it defined in a different include file:

table inet filter {
    chain input {
        type filter hook input \
        priority 0;
        policy drop;
    }
    chain forward {
        type filter hook forward \
        priority 0;
        policy drop;
    }
    chain output {
        type filter hook output \
        priority 0;
        policy accept;
    }
}

>
>           type filter hook input priority filter; policy drop;
>
> is missing.
>
> >         ip saddr 127.0.0.1 tcp dport 22 accept
> >         ip6 saddr ::1 tcp dport 22 accept
>
> Better split your ruleset in a tree using verdict maps:
>
> table inet filter {
>     chain input_ip4 {
>         ip saddr 127.0.0.1 accept
>     }
>
>     chain input_ip6 {
>         ip6 saddr ::1 accept
>     }
>
>     chain input {
>         type filter hook input priority filter; policy drop;
>         ct state vmap { established : accept, related : accept, invalid : drop }
>         # implicit match on 'ct state new,untracked'
>         tcp dport 22 meta protocol vmap { ip : jump input_ip4, ip6 : jump input_ip6 }
>     }
> }

That's cool about the verdict maps. I'll have to read up on those.

Though, I still feel like I should be able to say:

chain input {
    inet saddr {127.0.0.1, ::1} accept
}

Anyhow. It seems that is currently an impossibility.

Thanks for the reply and the info about verdict maps.

I appreciate it!

-m