From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Giorgio <giorgio.nicole@arcor.de>
Cc: netfilter@vger.kernel.org
Subject: Re: nft rule to redirect multiple ports using maps
Date: Fri, 9 Oct 2015 12:56:21 +0200 [thread overview]
Message-ID: <20151009105621.GA2624@salvia> (raw)
In-Reply-To: <5616CE2E.1070200@arcor.de>
On Thu, Oct 08, 2015 at 10:12:30PM +0200, Giorgio wrote:
> Hi,
>
> in the answer at:
>
> marc.info/?l=netfilter&m=144286539313019&w=2
>
> there is a cool example of how to use nft maps to write a rule
> that defines multiple dnats:
>
> nft add rule nat prerouting dnat \
> tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : \
> tcp dport map { 1000 : 1234, 1001 : 2222 }
>
>
> Now I would like to do something similar with port redirections
> to generalize rules like:
>
> nft add rule nat prerouting tcp dport 22 redirect to 2222
>
> found on the nftable wiki:
>
> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
>
> Here is my (faulty) command line:
>
> # nft add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23
> : 2323 }
> <cmdline>:1:37-74: Error: transport protocol mapping is only valid after
> transport protocol match
> add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23 : 2323 }
>
> I want to redirect a list of dports (22 and 23) to a correspondent list
> of new dports (2222 and 2323).
>
> I know that there is a way to do it but can't get the logic behind the
> syntax of this.
That is telling that protocol context is missing, try with this:
nft add rule nat prerouting ip protocol tcp \
redirect to tcp dport map { 22 : 2222, 23 : 2323 }
We may enhance our context generation routine so it infers the
protocol context from the 'tcp dport' in the map in the future, but
what I'm posting above should be fine by now.
You can file a bug to bugzilla as request for enhancement, so we don't
forget.
Thanks for reporting.
next prev parent reply other threads:[~2015-10-09 10:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-08 20:12 nft rule to redirect multiple ports using maps Giorgio
2015-10-09 10:56 ` Pablo Neira Ayuso [this message]
2015-10-09 18:09 ` Neal P. Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151009105621.GA2624@salvia \
--to=pablo@netfilter.org \
--cc=giorgio.nicole@arcor.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.