hello nftables named sets that match network prefixes though filter or variables

networking

I want to match a set of networks. Anonymous sets works fine, but I want to create prefix set to reuse it when needed.

nft add set filter AllowedSSH { type ipv4_addr\;} // type for addreses
nft add element filter AllowedSSH { 10.0.0.0/8 } // not working
nft add element filter AllowedSSH { 10.0.0.1 } // works by IP

What correct type of filter I should use to perform this action?

Variables style don't work too:

nft define networks = { 10.0.0.0/8 }
nft add rule ip filter input ip saddr $networks tcp dport 22 accept
Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule ip filter input ip saddr tcp dport 53 counter accept
                                  ^^^^^

NFT version:

[root@foo ~]# nft -v
nftables v0.8 (Joe Btfsplk)

Thanks in advance.


Solution 1:

I believe that your nftables set should enable the interval flag. The following nftables configuration is parsed successfully by my system:

[root@localhost ~]# nft flush ruleset ; nft -f - <<'FWRULES'
define gw = 192.168.1.1
define intnets = { 10.100.0.0/24, 100.200.0.0/24 }
define http_allowed = { $gw, $intnets, 10.150.0.0/24, 10.250.0.250 }

table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { $gw, 172.16.24.32, $intnets, 192.168.224.192/28 }
    }
    chain input {
        type filter hook input priority 0;
        policy drop;

        ip saddr $http_allowed tcp dport { 80, 443, 8080, 8443 } counter accept
        ip saddr @ssh_allowed tcp dport ssh counter accept
    }
}
FWRULES

[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.224.240 \}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.227.0/24 \}
[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28, 192.168.224.240,
                 192.168.227.0/24 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}

[root@localhost ~]# nft -v
nftables v0.9.1 (Headless Horseman)

Related

How to stop ElasticSearch background task
How I can create LVM VDO volume on top of LVM RAID?
GCP - should I have multiple egress IP address?
Build Pipeline ARM Templates - TFS 2018
I am trying to create a new VM in Azure and getting validation error as "Network interfaces should not have public IPs"
ERR_CERT_COMMON_NAME_INVALID on chrome based browsers
Powershell: "adsi" - look up user id given a full name? [closed]
Active Directory: What connects the KDC's principals to LDAP entries?
Forwarding from A Record's IP Address
Unable to export VM from Hyper-V
Docker MySQL - You must set environment variables but it is set already
Since VFRC feature in VMware is now end of lifed, what can I replace it with?