top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

nftables: variable network ranges in named maps

+3 votes
549 views

I want to use network ranges and host IP's in named maps. Using them in anonymous maps works:

# nft add rule filter output ip daddr vmap {192.168.0.0/24 : drop, 192.168.0.1 : accept}

However, in named maps it failes:

# nft -i
nft> add map filter verdict_map { type ipv4_address : verdict; }
nft> add element filter verdict_map { 1.2.3.5 : drop}
nft> add element filter verdict_map { 1.2.3.4/16 : accept}
BUG: invalid data expression type prefix

How do i use ranges or more complex expressions like IP + Port in maps?

posted Jan 12, 2015 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+2 votes

I would like to DNAT IPv4 to IPv6. Is this currently possible maybe with nftables?
I'm looking for something similiar to:

iptables -t nat -A PREROUTING -p tcp --dport 4001 -d 1.2.3.4 -j DNAT --to '[fd00::fffa:1]:22'
+2 votes

Can someone help on how to replace the next iptables rule with nft:

iptables -t raw -A PREROUTING -i eth0 -j CT --notrack

Is this possible with nft or not?

+1 vote

I've done some digging but really can't find a good explanation of the syntax for matching TCP flags in nftables. In iptables a rule can be written like:

-A TEST_BADFLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_BADFLAGS

How do I do the equivalent in nftables? Also are we still able to use the "ALL" and "NONE" keywords?

+2 votes

From the docs on netfilter queues:

nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff);
...
fd = nfq_fd(h);
while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0)
{
 printf("pkt receivedn");
 nfq_handle_packet(h, buf, rv);
}

When the CPU hits the printf()....what exactly has been read from fd?

Looking at a hex dump of the bytes read, it doesn't look like L2+L3, etc... But I think I'm seeing L3 about 58 bytes into the buffer. So what are the first 58 bytes?

Which is what nfq_get_payload() returns as well.

Is there significance to those first 58 or so bytes? If I subtract 14 from nfq_get_payload(), it doesn't seem to be L2.

+4 votes

I have an query regarding flow of IP packets from internet world to lte network(till PGW) . As during attach procedure, UE gets an IP addres. when an Ue want to access a website it sends a packet to external world and it reaches till PGW and PGW sent out to internet world over SGi interface. when website server in internet world receives a request from UE it sends reply back to UE. How reply packet will flow through IP network till PGW ? Is there any change happen in ip header of packet during flow?

...