nft rule to redirect multiple ports using maps

nft rule to redirect multiple ports using maps

[Giorgio]

Hi,

in the answer at:

marc.info/?l=netfilter&m=144286539313019&w=2

there is a cool example of how to use nft maps to write a rule
that defines multiple dnats:

nft add rule nat prerouting dnat \
      tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : \
      tcp dport map { 1000 : 1234, 1001 : 2222 }


Now I would like to do something similar with port redirections
to generalize rules like:

nft add rule nat prerouting tcp dport 22 redirect to 2222

found on the nftable wiki:

http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

Here is my (faulty) command line:

# nft add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23
: 2323 }
<cmdline>:1:37-74: Error: transport protocol mapping is only valid after
transport protocol match
add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23 : 2323 }

I want to redirect a list of dports (22 and 23) to a correspondent list
of new dports (2222 and 2323).

I know that there is a way to do it but can't get the logic behind the
syntax of this.

giorgio

Re: nft rule to redirect multiple ports using maps

[Pablo Neira Ayuso]

On Thu, Oct 08, 2015 at 10:12:30PM +0200, Giorgio wrote:
> Hi,
> 
> in the answer at:
> 
> marc.info/?l=netfilter&m=144286539313019&w=2
> 
> there is a cool example of how to use nft maps to write a rule
> that defines multiple dnats:
> 
> nft add rule nat prerouting dnat \
>       tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : \
>       tcp dport map { 1000 : 1234, 1001 : 2222 }
> 
> 
> Now I would like to do something similar with port redirections
> to generalize rules like:
> 
> nft add rule nat prerouting tcp dport 22 redirect to 2222
> 
> found on the nftable wiki:
> 
> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> 
> Here is my (faulty) command line:
> 
> # nft add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23
> : 2323 }
> <cmdline>:1:37-74: Error: transport protocol mapping is only valid after
> transport protocol match
> add rule nat prerouting redirect to tcp dport map { 22 : 2222, 23 : 2323 }
> 
> I want to redirect a list of dports (22 and 23) to a correspondent list
> of new dports (2222 and 2323).
> 
> I know that there is a way to do it but can't get the logic behind the
> syntax of this.

That is telling that protocol context is missing, try with this:

 nft add rule nat prerouting ip protocol tcp \
        redirect to tcp dport map { 22 : 2222, 23 : 2323 }

We may enhance our context generation routine so it infers the
protocol context from the 'tcp dport' in the map in the future, but
what I'm posting above should be fine by now.

You can file a bug to bugzilla as request for enhancement, so we don't
forget.

Thanks for reporting.

Re: nft rule to redirect multiple ports using maps

[Neal P. Murphy]

On Fri, 9 Oct 2015 12:56:21 +0200
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> On Thu, Oct 08, 2015 at 10:12:30PM +0200, Giorgio wrote:

> > <cmdline>:1:37-74: Error: transport protocol mapping is only valid after
> > transport protocol match

> That is telling that protocol context is missing, try with this:
> 
>  nft add rule nat prerouting ip protocol tcp \
>         redirect to tcp dport map { 22 : 2222, 23 : 2323 }

The words, while technically correct, probably should convey more information. Perhaps something like:

"... Error: You must specify a transport protocol (TCP/UDP/etc.) before you can map it"

Neal