On Tue, 30 Jan 2024, at 1:08 PM, Marc Haber wrote:
> On Tue, Jan 30, 2024 at 10:39:57AM +0000, Kerin Millar wrote:
>> On Tue, 30 Jan 2024, at 10:17 AM, Daniel wrote:
>> > Hi,
>> >
>> > nft 1.06 Debian12. Is it possible in a set to combine ipv4 and ipv6 ? If
>> > not, does it exist another method to do this ?
>>
>> Combining is impossible.
>
> This is one of my pet peeves with nft, actually. For iptables, there was
> tooling like ferm which made it possible to write dual-stack rule sets
> very easily. This kind of tooling seems to be completely missing in the
> nftables world. Am I missing something here?
Quite possibly. Currently, nftables supports:
- mixed rulesets (using tables bearing the "inet" family)
- mixed rules (wherever it makes sense)
- first-class sets of any kind (irrespective of the type of table enclosing them)
Granted, one cannot create a set that is typed in such a way that an element can be either an IPv4 or IPv6 address/interval. Conversely, iptables does not natively support sets at all, though it can integrate with sets that are managed by ipset(8). Now, can an ipset contain addresses of mixed types? No, it cannot.
# ipset create myset hash:ip
# ipset add myset 127.0.0.1
# ipset add myset ::1
ipset v7.19: Syntax error: cannot parse ::1: resolving to IPv4 address failed
# ipset destroy myset
# ipset create myset hash:ip family inet6
# ipset add myset ::1
# ipset add myset 127.0.0.1
ipset v7.19: Syntax error: cannot parse 127.0.0.1: resolving to IPv6 address failed
As far as the present topic is concerned, the only tangible advantage that ipset has is the ability to create a set whose sole purpose is to act as a superset of other - potentially mixed - sets. This advantage is rather diminished by the fact that one also has to two manage two entirely separate rulesets with iptables and ip6tables, notwithstanding that wrappers such as fermi exist. At any rate, the follow nftables ruleset is valid.
table inet filter {
set block4 {
type ipv4_addr
}
set block6 {
type ipv6_addr
}
chain INPUT {
type filter hook input priority filter; policy accept
ip saddr @block4 drop
ip6 saddr @block6 drop
}
}
>
>> However, the value of an ipv6_addr element is permitted to be an IPv4-mapped IPv6 address.
>
> Does nft have a function to convert an IPv4 address to an IPv4-mapped
> address? Will the rule set do the intended thing? Is an ipv6 rule with
> an IPv4 mapped address fully equivalent with a proper IPv4 rule?
I do not know, as I have not yet attempted to use them in an ipv6_addr set (it would waste memory). That said, my expectation would be that they have to be specified in the appropriate format and that they would only be applicable to dual-stack applications. In that case, they might sometimes prove helpful, particularly as Linux defaults to having the "net.ipv6.bindv6only" sysctl be set to "0".
--
Kerin Millar
