1

I'm building a new server, and thought, its 2025 and probably good time to migrate from iptables, ipset... to nftables. earlier or later it has to happen any way, right?

# uname -a
Linux starnet 6.12.6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.6-1 (2024-12-21) x86_64 GNU/Linux

# nft -V
nftables v1.1.1 (Commodore Bullmoose #2)
  cli:          editline
  json:         yes
  minigmp:      no
  libxtables:   yes

Started with simple commands, and already started to strugle. Later came to need of using sets of ips. Oh man, nftables is hell of a nightmare... Ok, to the problem:

simple bash script to create ip set:

#!/bin/bash

NFT=/usr/sbin/nft
$NFT add set inet filter ALLOWIPS { type ipv4_addr \; flags constant, interval \; }.
$NFT flush set inet filter ALLOWIPS

$NFT add element inet filter ALLOWIPS { 172.17.0.0/24 }
$NFT add element inet filter ALLOWIPS { 192.168.0.0/24 }

$NFT add element inet filter ALLOWIPS { 192.168.1.58 }
$NFT add element inet filter ALLOWIPS { 192.168.1.89 }
$NFT add element inet filter ALLOWIPS { 192.168.1.125 }
$NFT add element inet filter ALLOWIPS { 192.168.1.179 }
$NFT add element inet filter ALLOWIPS { 192.168.1.212 }

see if worked:

# nft list set inet filter ALLOWIPS
table inet filter {
        set ALLOWIPS {
                type ipv4_addr
                flags constant,interval
                elements = { 172.17.0.0/24, 192.168.0.0/24,
                             192.168.1.58, 192.168.1.89,
                             192.168.1.125, 192.168.1.179,
                             192.168.1.212 }
        }
}

try some management:

# nft delete element inet filter ALLOWIPS { 192.168.1.58 }

# nft list set inet filter ALLOWIPS
table inet filter {
        set ALLOWIPS {
                type ipv4_addr
                flags constant,interval
                elements = { 172.17.0.0/24, 192.168.0.0/24,
                             192.168.1.89, 192.168.1.125,
                             192.168.1.179, 192.168.1.212 }
        }
}

now, try using this ip set

# nft add rule inet filter input iifname int1 ip daddr 8.8.8.8  ip saddr @ALLOWIPS accept

and here I stopped:

# nft add element inet filter ALLOWIPS { 192.168.1.58 }
Error: Could not process rule: Device or resource busy
add element inet filter ALLOWIPS { 192.168.1.58 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft flush set inet filter ALLOWIPS
Error: Could not process rule: Device or resource busy
flush set inet filter ALLOWIPS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

https://wiki.nftables.org/wiki-nftables/index.php/Sets says: "Named sets can be updated anytime."

Please help me nft gods Thanks.

Improve this question
3
  • The flags constant prohibits changes when the rule is in use. Commented May 20 at 16:58
  • is there a way to remove this flag? Commented Jul 22 at 20:06
  • The flag is in the bash script. Remove it from there, if you don't want it. Commented Jul 23 at 5:38
Related questions
3
Cannot flush nftable element's set
425
Best way to find the intersection of multiple sets?
348
Simplest way to merge ES6 Maps/Sets?
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.