Re: IP not banned in interval set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 18 Mar 2024, at 4:36 PM, List Support wrote:
> Hi,
>
> nftables v1.0.6 (Lester Gooch #5) from Debian 12. I have a set which 
> contains in a table mytable of type inet
>
> set toban4-smtp {
>      type ipv4_addr
>      flags interval
>      auto-merge
>      elements = { 194.169.175.17-194.169.175.18 }
> }
>
> chain input {
>      type filter hook input priority -100; policy accept;
>      ip saddr @toban4-smtp tcp dport { 25, 462, 587 } drop
> }
>
> But
>
> nft delete element inet mytable toban4-smtp { 194.169.175.17 }
> Error: element does not exist
> delete element inet reaction toban4-smtp { 194.169.175.17 }
>

You would need at least nftables 1.0.7 for this to work.

https://marc.info/?l=netfilter&m=167873533514569&w=2

> where
>
> nft delete element inet mytable toban4-smtp { 
> 194.169.175.17-194.169.175.18 }
>
> does the job !
>
> Also, with elements = { 194.169.175.17-194.169.175.18 }, when one of 
> those IP is coming back it is allowed to enter :(
>
> What's wrong here ?

This isn't particularly clear. Can you share the complete ruleset and explain the test case?

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux