admin管理员组

文章数量:1289548

I'm building a new server, and thought, its 2025 and probably good time to migrate from iptables, ipset... to nftables. earlier or later it has to happen any way, right?

# uname -a
Linux starnet 6.12.6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.6-1 (2024-12-21) x86_64 GNU/Linux

# nft -V
nftables v1.1.1 (Commodore Bullmoose #2)
  cli:          editline
  json:         yes
  minigmp:      no
  libxtables:   yes

Started with simple commands, and already started to strugle. Later came to need of using sets of ips. Oh man, nftables is hell of a nightmare... Ok, to the problem:

simple bash script to create ip set:

#!/bin/bash

NFT=/usr/sbin/nft
$NFT add set inet filter ALLOWIPS { type ipv4_addr \; flags constant, interval \; }.
$NFT flush set inet filter ALLOWIPS

$NFT add element inet filter ALLOWIPS { 172.17.0.0/24 }
$NFT add element inet filter ALLOWIPS { 192.168.0.0/24 }

$NFT add element inet filter ALLOWIPS { 192.168.1.58 }
$NFT add element inet filter ALLOWIPS { 192.168.1.89 }
$NFT add element inet filter ALLOWIPS { 192.168.1.125 }
$NFT add element inet filter ALLOWIPS { 192.168.1.179 }
$NFT add element inet filter ALLOWIPS { 192.168.1.212 }

see if worked:

# nft list set inet filter ALLOWIPS
table inet filter {
        set ALLOWIPS {
                type ipv4_addr
                flags constant,interval
                elements = { 172.17.0.0/24, 192.168.0.0/24,
                             192.168.1.58, 192.168.1.89,
                             192.168.1.125, 192.168.1.179,
                             192.168.1.212 }
        }
}

try some management:

# nft delete element inet filter ALLOWIPS { 192.168.1.58 }

# nft list set inet filter ALLOWIPS
table inet filter {
        set ALLOWIPS {
                type ipv4_addr
                flags constant,interval
                elements = { 172.17.0.0/24, 192.168.0.0/24,
                             192.168.1.89, 192.168.1.125,
                             192.168.1.179, 192.168.1.212 }
        }
}

now, try using this ip set

# nft add rule inet filter input iifname int1 ip daddr 8.8.8.8  ip saddr @ALLOWIPS accept

and here I stopped:

# nft add element inet filter ALLOWIPS { 192.168.1.58 }
Error: Could not process rule: Device or resource busy
add element inet filter ALLOWIPS { 192.168.1.58 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft flush set inet filter ALLOWIPS
Error: Could not process rule: Device or resource busy
flush set inet filter ALLOWIPS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.php/Sets says: "Named sets can be updated anytime."

Please help me nft gods Thanks.

本文标签: devicenftables managing sets of ipsStack Overflow

版权声明:本文标题:device - nftables managing sets of ips - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741420998a2377804.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。