how to do port forwarding using nftables map

how to do port forwarding using nftables map

[神楽坂玲奈]

I'm doing many port forwarding service on a linux server. There will
be many(may thousands of) port forward rule so I want to use nftables
map to improve performance rather than just many rules.

the policy will be [protocol : port -> address : port], like [tcp 1234
-> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
protocol port 4321.
the protocol may only tcp and udp. so it's also ok if the key can
support only one port field. i can set maps and rules for each
protocol.

the problem is, how to define the value "ip:port" using map?

I tried create 2 maps, using

> nft add map nat forward_address {type inet_service : ipv4_addr \;}
> nft add map nat forward_port {type inet_service : inet_service \;}

but then I don't know how to set dnat rule....... seems the dnat
destnation can only accept one map value? and also i don't know how to
set "ip:port" as one value in map.

Re: how to do port forwarding using nftables map

[Pablo Neira Ayuso]

On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
> I'm doing many port forwarding service on a linux server. There will
> be many(may thousands of) port forward rule so I want to use nftables
> map to improve performance rather than just many rules.
> 
> the policy will be [protocol : port -> address : port], like [tcp 1234
> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
> protocol port 4321.
> the protocol may only tcp and udp. so it's also ok if the key can
> support only one port field. i can set maps and rules for each
> protocol.
> 
> the problem is, how to define the value "ip:port" using map?
> 
> I tried create 2 maps, using
> 
> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
> > nft add map nat forward_port {type inet_service : inet_service \;}
> 
> but then I don't know how to set dnat rule....... seems the dnat
> destnation can only accept one map value? and also i don't know how to
> set "ip:port" as one value in map.

Could you provide an example of your iptables ruleset? Thanks.

Re: how to do port forwarding using nftables map

[神楽坂玲奈]

iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
--to-destination 1.1.1.1:2222
iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
--to-destination 2.2.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
--to-destination 8.8.8.8:53
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
--to-destination 2.2.2.21234
(many of these)

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

2015-09-21 16:49 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
>> I'm doing many port forwarding service on a linux server. There will
>> be many(may thousands of) port forward rule so I want to use nftables
>> map to improve performance rather than just many rules.
>>
>> the policy will be [protocol : port -> address : port], like [tcp 1234
>> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
>> protocol port 4321.
>> the protocol may only tcp and udp. so it's also ok if the key can
>> support only one port field. i can set maps and rules for each
>> protocol.
>>
>> the problem is, how to define the value "ip:port" using map?
>>
>> I tried create 2 maps, using
>>
>> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
>> > nft add map nat forward_port {type inet_service : inet_service \;}
>>
>> but then I don't know how to set dnat rule....... seems the dnat
>> destnation can only accept one map value? and also i don't know how to
>> set "ip:port" as one value in map.
>
> Could you provide an example of your iptables ruleset? Thanks.

Re: how to do port forwarding using nftables map

[Pablo Neira Ayuso]

On Mon, Sep 21, 2015 at 11:30:54PM +0800, 神楽坂玲奈 wrote:
> iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
> --to-destination 1.1.1.1:2222
> iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
> --to-destination 2.2.1.1:1234
> iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
> --to-destination 8.8.8.8:53
> iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
> --to-destination 2.2.2.21234
> (many of these)

nft add rule nat prerouting dnat \
        tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : tcp dport map { 1000 : 1234, 1001 : 2222 }

Re: how to do port forwarding using nftables map

[神楽坂玲奈]

great! it works, thanks.

2015-09-22 4:03 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Mon, Sep 21, 2015 at 11:30:54PM +0800, 神楽坂玲奈 wrote:
>> iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
>> --to-destination 1.1.1.1:2222
>> iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
>> --to-destination 2.2.1.1:1234
>> iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
>> --to-destination 8.8.8.8:53
>> iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
>> --to-destination 2.2.2.21234
>> (many of these)
>
> nft add rule nat prerouting dnat \
>         tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : tcp dport map { 1000 : 1234, 1001 : 2222 }