On 18 January 2018 at 17:41, ad^2 <adsquai...@gmail.com> wrote: > > Package: nftables > Version: 0.8.1-1 > Severity: normal > > Dear Maintainer, > > *** Reporter, please consider answering these questions, where appropriate > *** > > * Converting working iptables rules to nft rules. > * Original iptables rule > ** -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -i eth0 -p udp -m udp --dport > 25 -j ACCEPT > ** -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -i eth0 -p udp -m udp --dport > 80 -j ACCEPT > * translated to nftables > ** nft add map mapper incoming {type ipv4_addr . ipv4_addr . > inet_service : verdict \;} > ** nft add rule mapper input ip saddr . ip daddr . tcp dport vmap > @incoming > ** nft add element mapper incoming { 10.0.0.0/8 . 10.0.0.0/8 . 25 : > accept } > > * Error > ** <cmdline>:1:42-42: Error: syntax error, unexpected ., expecting > comma or '}' > * This works although its not valid - note CIDR notation is removed. > ** add element mapper incoming { 10.0.0.0 . 10.0.0.0 . 10050 : accept } > > * There is an expectation CIDR notation will work with the ipv4_addr type > when it works with saddr and daddr.. >
As far as I know, you can't use bit masks (i.e, network addresses) in concatenations.