From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: nevola@gmail.com
Subject: [PATCH nft 0/6] allow s/dnat to map to both addr and port
Date: Mon, 24 Feb 2020 01:03:18 +0100 [thread overview]
Message-ID: <20200224000324.9333-1-fw@strlen.de> (raw)
Right now its not possible to use a map with snat/dnat to alter both
address and port at the same time.
This series teaches nft to accept this:
map y4 {
type ipv4_addr : ipv4_addr . inet_service
elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
}
meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map @y4
i.e., it allows:
1. A mapping that contains a concatenated expression.
2. nat expression will peek into set type and detect when
the mapping is of 'addr + port' type.
Linearization will compute the register that contains the port
part of the mapping.
3. Delinarization will figure out when this trick was used by looking
at the length of the mapping: 64 == ipv4addr+service, 160 == ipv6addr+service.
What does not work:
Anonymous mappings, i.e.
meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map { 1.2.3.4 : 1.2.3.5 . 53, ..
doesn't work. When evaluating "1.2.3.4", this is still a symbol and
unlike with named sets, nft doesn't have a properly declared set type.
This is similar to the 'maps-on-LHS-side' issue.
Phil suggested to allow this:
... to ip saddr map { type ipv4_addr : ipv4_addr . inet_service; 1.2.3.4 : 1.2.3.5 . 53, ..
i.e. re-use the declarative syntax from map code.
Another related issue:
"typeof" doesn't work with concatenations so far.
I don't know when I will have time to look into this more.
I have incomplete patches for concat typeof (udata) support
and a patch to extend the grammar for the proposed { type ... in
anon sets (doesn't cause grammar problems).
I will continue to work on it but don't know yet when I will do so, so
I am sending the finished patches I have at this time.
next reply other threads:[~2020-02-24 0:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 0:03 Florian Westphal [this message]
2020-02-24 0:03 ` [PATCH nft 1/6] tests: add initial nat map test Florian Westphal
2020-02-24 0:03 ` [PATCH nft 2/6] evaluate: process concat expressions when used as mapped-to expr Florian Westphal
2020-02-24 0:03 ` [PATCH nft 3/6] netlink: handle concatenations on set elements mappings Florian Westphal
2020-02-24 0:03 ` [PATCH nft 4/6] evaluate: add two new helpers Florian Westphal
2020-02-24 0:03 ` [PATCH nft 5/6] src: allow nat maps containing both ip(6) address and port Florian Westphal
2020-02-24 0:03 ` [PATCH nft 6/6] tests: nat: add and use maps with both address and service Florian Westphal
2020-02-24 13:22 ` Pablo Neira Ayuso
2020-02-24 18:44 ` [PATCH nft 0/6] allow s/dnat to map to both addr and port Pablo Neira Ayuso
2020-02-24 18:47 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200224000324.9333-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).