使用过滤器或变量匹配子网的 nftables 命名集

tag-icon tag-icon networking nftables
使用过滤器或变量匹配子网的 nftables 命名集

我想通过提供子网掩码来匹配一组网络。匿名集可以工作,但我想创建一个预定义集以便在需要时重复使用它。

nft add set filter AllowedSSH { type ipv4_addr\;} // type for addreses
nft add element filter AllowedSSH { 10.0.0.0/8 }  // not working
nft add element filter AllowedSSH { 10.0.0.1 }    // works by IP

执行此操作的正确语法是什么?

变量样式也不起作用:

nft define networks = { 10.0.0.0/8 }
nft add rule ip filter input ip saddr $networks tcp dport 22 accept
Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule ip filter input ip saddr tcp dport 53 counter accept
                                  ^^^^^

NFT 版本:

[root@foo ~]# nft -v
nftables v0.8 (Joe Btfsplk)

提前致谢。

答案1

我相信你的 nftables 设置应该能够间隔标志。我的系统成功解析了以下 nftables 配置:

[root@localhost ~]# nft flush ruleset ; nft -f - <<'FWRULES'
define gw = 192.168.1.1
define intnets = { 10.100.0.0/24, 100.200.0.0/24 }
define http_allowed = { $gw, $intnets, 10.150.0.0/24, 10.250.0.250 }

table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { $gw, 172.16.24.32, $intnets, 192.168.224.192/28 }
    }
    chain input {
        type filter hook input priority 0;
        policy drop;

        ip saddr $http_allowed tcp dport { 80, 443, 8080, 8443 } counter accept
        ip saddr @ssh_allowed tcp dport ssh counter accept
    }
}
FWRULES

[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.224.240 \}
[root@localhost ~]# nft add element ip filter ssh_allowed \{ 192.168.227.0/24 \}
[root@localhost ~]# nft list ruleset
table ip filter {
    set ssh_allowed {
        type ipv4_addr
        flags interval
        elements = { 10.100.0.0/24, 100.200.0.0/24,
                 172.16.24.32, 192.168.1.1,
                 192.168.224.192/28, 192.168.224.240,
                 192.168.227.0/24 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ip saddr { 10.100.0.0/24, 10.150.0.0/24, 10.250.0.250, 100.200.0.0/24, 192.168.1.1 } tcp dport { 80, 443, 8080, 8443 } counter packets 0 bytes 0 accept
        ip saddr @ssh_allowed tcp dport 22 counter packets 0 bytes 0 accept
    }
}

[root@localhost ~]# nft -v
nftables v0.9.1 (Headless Horseman)

答案2

地址范围和子网表示法需要间隔旗帜:

nft add set filter AllowedSSH { type ipv4_addr\; flags interval\;}

然后您可以添加前缀网络和范围:

nft add element filter AllowedSSH { 10.0.0.0/8, 10.2.3.4-10.5.6.6 }

官方文档在这里:http://wiki.nftables.org/wiki-nftables/index.php/Sets

相关内容