netfilter buglog - Nov 2019 - [Bug 1380] New: please enable adding networks to named set

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

            Bug ID: 1380
           Summary: please enable adding networks to named set
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: oz42 at oz42.eu

Please enable a feature so that we can add networks and not just single IP
addresses to a set:

root at nft:~# nft add element inet filter blacklist { 1.2.3.4 }

root at nft:~# nft add element inet filter blacklist { 1.2.3.0/24 }
Error: Set member cannot be prefix, missing interval flag on declaration
add element inet filter blacklist { 1.2.3.0/24 }
                                    ^^^^^^^^^^

Without this feature I have to use iptables. :-(

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191108/70414c02/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

Thomas <tad1073 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|All                         |x86_64
                 CC|                            |tad1073 at gmail.com
                 OS|All                         |Ubuntu

--- Comment #1 from Thomas <tad1073 at gmail.com> ---
Yes, please do.

Error: Set member cannot be prefix, missing interval flag on declaration
add set ip mangle bh1_4 {type ipv4_addr; flags constant;
elements={1.1.128.0/18} ; }

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191230/7e76be52/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

--- Comment #2 from kfm at plushkava.net ---
Have you tried specifying the interval flag for the set?

I think that the error message should be re-worded because there is ample
evidence that it is being misunderstood. I would suggest: "Unable to add a
prefix because the set was declared without the interval flag".

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191231/87757611/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

--- Comment #3 from Olaf Zaplinski <oz42 at oz42.eu> ---
So there is no CIDR notation (yet)? That would mean complicated IPv6 rulesets.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200102/35a92379/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

--- Comment #4 from kfm at plushkava.net ---
Sets support four flags: constant, dynamic, interval and timeout. Declare your
set with at least the interval flag before trying to add a network prefix (in
CIDR notation).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200102/3c78666b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

--- Comment #5 from Thomas <tad1073 at gmail.com> ---
(In reply to kfm from comment #4)
Thanks, it's working.

    set bh1_v4 {
        type ipv4_addr
        flags constant,interval
        elements = { 1.1.128.0/18, 10.0.3.0-10.255.255.255,
                 45.136.108.0/22, 66.240.192.0/18,
                 78.108.176.0/20, 81.22.45.0/24,
                 92.53.90.0/24, 93.174.95.0/24,
                 100.64.0.0/10, 111.240.0.0/12,
                 112.122.64.0/20, 146.88.240.0/20,
                 151.102.0.0/16, 169.0.0.0/11,
                 169.64.0.0-169.255.255.255, 171.116.0.0/14,
                 172.16.0.0/12, 180.96.0.0/11,
                 185.209.0.0/24, 192.0.0.0/24,
                 192.0.2.0/24, 192.168.0.0/16,
                 193.56.28.0/24, 198.18.0.0/16,
                 198.51.100.0/24, 203.0.113.0/24,
                 223.240.0.0/13, 224.0.0.0/8 }
    }

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200103/79c37b11/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Patch to try a different error notice:

http://patchwork.ozlabs.org/patch/1220966/

Let me know if this one looks better. Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/a5976d66/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

--- Comment #7 from kfm at plushkava.net ---
Well, +1 from me. The disambiguation of sets and maps is a nice maneuver too.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/855c0d37/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|ASSIGNED                    |RESOLVED

--- Comment #8 from kfm at plushkava.net ---
Closing as resolved because the error message is now far more instructive and
there has been no further commentary for almost a year. Hopefully, that can be
taken to mean that noone else has since been flummoxed by the need for the
interval flag. For the record, this improvement made it into version 0.9.4.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201203/d79be20a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1380

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1300

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201203/49330768/attachment-0001.html>