search

pvxe / nftables-geoip

Python script that generates nft maps of ip address blocks and corresponding geolocation. This data is taken from db-ip.com, so yo don't have to worry about accepting any EULA.
GNU General Public License v2.0
115 stars 17 forks source link

Example configuration for IPv4 + IPv6 #5

Closed trallen closed 4 years ago

trallen commented 4 years ago

For those using both the @geoip4 and @geoip6 maps, the recommended configuration in the README results in the following error: Error: conflicting protocols specified: ip vs. ip6

This is because, by default, table geoip { ... } creates an ip table, which rejects ipv6 addresses. Instead, users should use table inet geoip { ... }.

This is probably trivial for those with nftables experience to resolve, but it might be worth either changing the example configuration, or adding a note to warn users that they need to use the following configuration:

table inet geoip {
        include "/etc/nftables/geoip/geoip-def-all.nft"
        include "/etc/nftables/geoip/geoip-ipv4.nft"
        include "/etc/nftables/geoip/geoip-ipv6.nft"
        chain input {
                type filter hook input priority 0; policy accept;
                # mark incoming packets with country
                meta mark set ip saddr map @geoip4
                meta mark set ip6 saddr map @geoip6

Thanks for creating a great tool!

pvxe commented 4 years ago

Hey @trallen thanks for pointing this out. I think this is a good idea.

But it's true I've assumed some kind of experience using nftables if you need this script. Feel free to submit a PR if you want (in that case don't forget to mention closing the issue in the commit message), else I can push a fix real quick. :)

trallen commented 4 years ago

Thanks! I'm happy with any changes you care to make, but can submit a PR if you prefer.

pvxe commented 4 years ago

I have some spare time right now, so to make thinks quick I did just fix it. Thanks again!