我想通过提供子网掩码来匹配一组网络。匿名集可以工作,但我想创建一个预定义集以便在需要时重复使用它。
nft add set filter AllowedSSH { type ipv4_addr\;} // type for addreses
nft add element filter AllowedSSH { 10.0.0.0/8 } // not working
nft add element filter AllowedSSH { 10.0.0.1 } // works by IP
执行此操作的正确语法是什么?
变量样式也不起作用:
nft define networks = { 10.0.0.0/8 }
nft add rule ip filter input ip saddr $networks tcp dport 22 accept
Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule ip filter input ip saddr tcp dport 53 counter accept
^^^^^
NFT 版本:
[root@foo ~]# nft -v
nftables v0.8 (Joe Btfsplk)
提前致谢。
答案1
我相信你的 nftables 设置应该能够间隔标志。我的系统成功解析了以下 nftables 配置:
[root@localhost ~]# nft flush ruleset ; nft -f - <<'FWRULES'
define gw = 192.168.1.1
define intnets = { 10.100.0.0/24, 100.200.0.0/24 }
define http_allowed = { $gw, $intnets, 10.150.0.0/24, 10.250.0.250 }
table ip filter {
set ssh_allowed {
type ipv4_addr
flags interval
elements = { $gw, 172.16.24.32, $intnets, 192.168.224.192/28 }
}
chain input {
type filter hook input priority 0;
policy drop;
ip saddr $http_allowed tcp dport { 80, 443, 8080, 8443 } counter accept
ip saddr @ssh_allowed tcp dport ssh counter accept
}
}
FWRULES
[root@localhost ~]# nft list ruleset
table ip filter {
set ssh_allowed {
type ipv4_addr
flags interval
elements = { 10.100.0.0/24, 100.200.0.0/24,
172.16.24.32, 192.168.1.1,
192.168.224.192/28 }
}
chain input {
type filter hook input priority filter; policy drop;
ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
}
}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.224.240 \}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.227.0/24 \}
[root@localhost ~]# nft list ruleset
table ip filter {
set ssh_allowed {
type ipv4_addr
flags interval
elements = { 10.100.0.0/24, 100.200.0.0/24,
172.16.24.32, 192.168.1.1,
192.168.224.192/28, 192.168.224.240,
192.168.227.0/24 }
}
chain input {
type filter hook input priority filter; policy drop;
ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
}
}
[root@localhost ~]# nft -v
nftables v0.9.1 (Headless Horseman)
答案2
地址范围和子网表示法需要间隔旗帜:
nft add set filter AllowedSSH { type ipv4_addr\; flags interval\;}
然后您可以添加前缀网络和范围:
nft add element filter AllowedSSH { 10.0.0.0/8, 10.2.3.4-10.5.6.6 }
官方文档在这里:http://wiki.nftables.org/wiki-nftables/index.php/Sets