syntax issues when reducing rules through grouping ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



i've migrated some fw code to nftables, and am cleaning up my sources -- at this point, for my own readability.

i've managed to so far miss any clear writeups on such housekeeping, so using some trial-n-error :-/


when involving marks in nat/mangle chains, what's valid, or not, is a bit fuzzy.

in this sample script

	cat tmp.nft
		#!/usr/sbin/nft -f

		define VPN = "A"
		define LAN = "B"
		define SVR1 = "1.1.1.1"
		define SVR2 = "2.2.2.2"

		table nat {
			chain prerouting {
				type nat hook prerouting priority -150; policy accept;

				# SET1
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 udp dport 53
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 tcp dport 53
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 udp dport 25
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport 465

				# SET2 (This seem a bit tortured, but it's fewer lines ...)
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
				meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 }

				# SET3
				meta mark set 0x02 {
24					meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
25					meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 }
26				}
27
28			}
29		}


rule group "SETs" 1, 2 & 3 are _intended_ to be functionally equivalent, but simply increasingly "grouped" for convenience/readability (yes, arguable!)


testing, SET1 & SET2 seem OK, but SET3 is clearly unhappy,

	nft -c -f tmp.nft
		tmp.nft:24:4-7: Error: syntax error, unexpected meta
		                        meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
		                        ^^^^
		tmp.nft:29:1-1: Error: syntax error, unexpected '}'
		}
		^


what's specifically DISallowed in my SET3 syntax usage?

what'd be the 'most grouped' that SET can validly be?





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux