0

I want to match a set of networks by providing a subnet mask. Anonymous sets work but I want to create a predefined set to reuse it when needed.

nft add set filter AllowedSSH { type ipv4_addr\;} // type for addreses
nft add element filter AllowedSSH { 10.0.0.0/8 }  // not working
nft add element filter AllowedSSH { 10.0.0.1 }    // works by IP

What is the correct syntax to perform this action?

Variables style also doesn't work:

nft define networks = { 10.0.0.0/8 }
nft add rule ip filter input ip saddr $networks tcp dport 22 accept
Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule ip filter input ip saddr tcp dport 53 counter accept
                                  ^^^^^

NFT version:

[root@foo ~]# nft -v
nftables v0.8 (Joe Btfsplk)

Thanks in advance.

Alex
  • 103
  • 5
dangquan091
  • 1
  • 1
  • 1
  • The question description suggests that nftables rules are being defined interactively, in a Bash shell. Make sure the `$` character is escaped as the semi-colon is. Otherwise, Bash will perform parameter expansion and pass something else to `nft` command line. – Anderson Medeiros Gomes Aug 08 '19 at 02:27

2 Answers2

1

Address ranges and subnet notations require the interval flag:

nft add set filter AllowedSSH { type ipv4_addr\; flags interval\;}

Then you can add prefixed networks and ranges:

nft add element filter AllowedSSH { 10.0.0.0/8, 10.2.3.4-10.5.6.6 }

Official documentation here: http://wiki.nftables.org/wiki-nftables/index.php/Sets

Lobz
  • 11
  • 2
1

I believe that your nftables set should enable the interval flag. The following nftables configuration is parsed successfully by my system:

[root@localhost ~]# nft flush ruleset ; nft -f - <<'FWRULES'
define gw = 192.168.1.1
define intnets = { 10.100.0.0/24, 100.200.0.0/24 }
define http_allowed = { $gw, $intnets, 10.150.0.0/24, 10.250.0.250 }

table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { $gw, 172.16.24.32, $intnets, 192.168.224.192/28 }
    }
    chain input {
        type filter hook input priority 0;
        policy drop;

        ip saddr $http_allowed tcp dport { 80, 443, 8080, 8443 } counter accept
        ip saddr @ssh_allowed tcp dport ssh counter accept
    }
}
FWRULES

[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.224.240 \}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.227.0/24 \}
[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28, 192.168.224.240,
                 192.168.227.0/24 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}

[root@localhost ~]# nft -v
nftables v0.9.1 (Headless Horseman)
Anderson Medeiros Gomes
  • 2,477
  • 9
  • 20