1

Is it possible to do something like this :

    set authorized {
    type ipv4_addr ether_addr
    flags constant

    elements = {
        { ipaddr: 192.168.1.xx, etheraddr: xx:xx:xx:xx:xx:xx },
        { ipaddr: 192.168.1.xx, etheraddr: xx:xx:xx:xx:xx:xx },
        { ipaddr: 192.168.1.xx, etheraddr: xx:xx:xx:xx:xx:xx },
    }
}

This returns a syntax error. Is there a valid syntax to do it ? Nothing show on nftables website set page.

Thank you

John Doe
  • 125
  • 1
  • 7

1 Answers1

1

OP's set definition has multiple syntax errors.

A set of elements where each element is a combination of two base types, IPv4 + Ethernet, is needed: it's not a set of simple elements, but a set of concatenations:

Concatenations

Since Linux kernel 4.1, nftables supports concatenations.

This new feature allows you to put two or more selectors together to perform very fast lookups in sets, maps, vmaps and meters.

Currently, in all of nft's man page, a single occurrence of the word concatenations appears for a non-trivial use but it's not defined there. So while nftables' wiki sometimes includes outdated information, it still includes useful documentation to complement the manual.

The . character is used to concatenate multiple base values. Also, a set element doesn't use an additional pair of { } nor uses the : character which is for maps.

This could be defined and used like below, reusing OP's information with concrete values. An host will allow only incoming traffic from matching pairs of source IPv4 address plus Ethernet source MAC address, for example as a way to enforce such association between MAC and IP address:

table ip t {
    set authorized {
        type ipv4_addr . ether_addr
        flags constant
        elements = {
            192.168.1.1 . 02:00:00:00:00:01,
            192.168.1.2 . 02:00:00:00:00:02,
            192.168.1.3 . 02:00:00:00:00:03
        }
    }

    chain input { type filter hook input priority 0; policy drop;
        ip saddr . ether saddr @authorized accept
    }
}

Note: newer versions of nftables and kernel allow an easier syntax. Instead of:

type ipv4_addr . ether_addr

where figuring out ipv4_addr or ether_addr requires to find it in some additional documentation, one can use instead:

typeof ip saddr . ether saddr

reusing the same keywords used in rule syntax.

A.B
  • 11,090
  • 2
  • 24
  • 45