search

google / nftables

This repository contains a Go module to interact with Linux nftables (the iptables successor).
Apache License 2.0
1.11k stars 138 forks source link

Problem with creating a Set #72

Closed systemstart closed 5 years ago

systemstart commented 5 years ago

Hi.

I took the example about a blacklisting Set from here

When i run this code, nothing shows up with "nft list ruleset". If I remove the Set related code and the Rule, at least Table and Chain show up in the current ruleset.

Without understanding all the wire format stuff it looks like the Set related things are breaking the batch issued with Flush().

Any hint?

sbezverk commented 5 years ago

@systemstart I just updated to the latest github.com/google/nftables and compiled one of modules which are using set and it looks good to me. See output below:

table ip istio_ipv4 {
    set 3848dbe075ec {
        type inet_service
        flags constant
        elements = { 11111, 22222 }
    }

    set ba08f184aa21 {
        type ipv4_addr
        flags constant,interval
        elements = { 1.1.1.0/24, 2.2.2.0/30 }
    }

    set 0cd0eb721db4 {
        type inet_service
        flags constant
        elements = { 23232, 44444, 55555 }
    }

For IPv6

table ip6 istio_ipv6 {
    set 662fa3397575 {
        type inet_service
        flags constant
        elements = { 11111, 22222 }
    }

    set c5bd82538a0e {
        type ipv6_addr
        flags constant,interval
        elements = { 2001:123::/64,
                 fe88:2345::/92 }
    }

I do not use directly google/nftables, I use my abstraction library, but at the end everything get translated into google/nftables.

systemstart commented 5 years ago

Thanks. I assume you are on latest google/nftables master?

I will try to rule out OS stuff by checking under a different Kernel version.

sbezverk commented 5 years ago

@systemstart Yes, I am on master of github.com/google/nftables. Please check out this library github.com/sbezverk/nftableslib , it might be helpful to get things going faster and without diving into what is on the wire ;)

systemstart commented 5 years ago

Time will drive me into a solution based on iptables.

I had a look at nftableslib, looks like the human interface to this netlink dialect.

Wonder who needs a non-human one.

Inappropriate Statements Department: out.

systemstart commented 5 years ago

Possible Layer 8 Error