On Tue, 11 Jun 2024, at 8:30 AM, Aleksey Nikapli wrote:
> Hi!
>
> I have a question regarding migration from ipset to nftables. I have
> plenty of sets of this kind, containing tcp/udp/icmp:
>
>
> ipset create MYSET hash:ip,port family inet hashsize 1024 maxelem 65536
> ipset add MYSET 172.18.1.11,udp:137
> ipset add MYSET 172.18.1.11,udp:138
> ipset add MYSET 172.18.1.11,tcp:139
> ipset add MYSET 172.18.1.11,tcp:445
> ipset add MYSET 172.18.1.11,icmp:echo-request
>
> and a firewall rule for it:
>
>
> iptables -A FORWARD -s 10.1.20.150/32 -m set --match-set MYSET dst,dst -j ACCEPT
>
> When I translate my set to nftables i get a set like this:
>
>
> add set inet global MYSET { type ipv4_addr . inet_proto .
> inet_service; size 65536; }
> add element inet global MYSET { 172.18.1.11 . udp . 137 }
> add element inet global MYSET { 172.18.1.11 . udp . 138 }
> add element inet global MYSET { 172.18.1.11 . tcp . 139 }
> add element inet global MYSET { 172.18.1.11 . tcp . 445 }
> add element inet global MYSET { 172.18.1.11 . icmp . 2048 }
>
>
> However, I can't use it in nft rule because it requires to select
> protocol (tcp/udp) when selecting dport:
>
> ip saddr . meta l4proto . tcp dport @MYSET accept
>
> Is there a way to translate and use this kind of sets to nftables or
> do i need to create three separate rules (for tcp, udp and icmp
> respectively)?
Write "th dport", which is equivalent to "@th,16,16". Doing so makes sense for TCP and UDP; you will need to define a different set to contain the elements pertaining to the ICMP protocol.
>
>
> Also another question is, is there some kind of list:set set type in
> nftables? So i could make a set of sets and use it in the ruleset as I
> could with iptables+ipset?
There is not.
--
Kerin Millar
