nftables segv while trying to use nat redirection with map

nftables segv while trying to use nat redirection with map

[Steve Horsley]

I would like to do host redirection using nftables, and using maps for 
efficient host address lookup (thousands of entries).
As a first step, I tried just natting the output from my laptop but the 
real use will be on the prerouting chain:
172.16.0.1 -> 8.8.8.8.
The following works as intended:
     nft add table nat
     nft add chain nat output { type nat hook output priority 0 \; }
     nft add rule nat output ip daddr 172.16.1.1 dnat 8.8.8.8
     ping 172.16.1.1

But I can't get it to work using maps - this causes a segmentation error:
     nft flush ruleset
     nft add table nat
     nft add chain nat output { type nat hook output priority 0 \; }
     nft add rule ip nat output dnat ip daddr map { 172.16.1.1 : 8.8.8.8 }
     nft list ruleset

I don't know if I just have the wrong syntax, if it's a bug in nft, or 
if it's just something I shouldn't be trying to do in the first place. I 
am using nftables 0.4 (ubuntu 15.10 beta) but had the same result on 
ubuntu 15.04.

Re: nftables segv while trying to use nat redirection with map

[Pablo Neira Ayuso]

On Sun, Oct 18, 2015 at 01:32:09PM +0100, Steve Horsley wrote:
> I would like to do host redirection using nftables, and using
> maps for efficient host address lookup (thousands of entries).
> As a first step, I tried just natting the output from my laptop
> but the real use will be on the prerouting chain:
> 172.16.0.1 -> 8.8.8.8.
> The following works as intended:
>     nft add table nat
>     nft add chain nat output { type nat hook output priority 0 \; }
>     nft add rule nat output ip daddr 172.16.1.1 dnat 8.8.8.8
>     ping 172.16.1.1
> 
> But I can't get it to work using maps - this causes a segmentation error:
>     nft flush ruleset
>     nft add table nat
>     nft add chain nat output { type nat hook output priority 0 \; }
>     nft add rule ip nat output dnat ip daddr map { 172.16.1.1 : 8.8.8.8 }
>     nft list ruleset
> 
> I don't know if I just have the wrong syntax, if it's a bug in
> nft, or if it's just something I shouldn't be trying to do in the
> first place. I am using nftables 0.4 (ubuntu 15.10 beta) but had
> the same result on ubuntu 15.04.

This works here on nftables 0.5, I can load both this:

#!/usr/sbin/nft

flush ruleset
add table nat
add chain nat output { type nat hook output priority 0 ; }
add rule ip nat output dnat ip daddr map { 172.16.1.1 : 8.8.8.8 }

and this:

flush ruleset
table ip nat {
        chain output {
                type nat hook output priority 0; policy accept;
                dnat ip daddr map { 172.16.1.1 : 8.8.8.8} 
        }
}

Re: nftables segv while trying to use nat redirection with map

[Steve Horsley]

Sorry for the delay in answering.

I installed the development version of Ubuntu 16.10 with proposed 
updates. With this version, nft -v reports version 0.5. My original set 
of commands now works without crashing, so thanks for the advice to try 
version 0.5.

However, this set of commands still fails:

# nft flush ruleset
# nft add table nat
# nft add chain nat output { type nat hook output priority 0 \; }
# nft add map nat outnat {type ipv4_addr : ipv4_addr\; }
# nft add element nat outnat { 172.16.1.1 : 8.8.8.8 , 172.16.1.2 : 8.8.4.4 }
# nft add rule ip nat output dnat ip daddr map @outnat
<cmdline>:1:1-48: Error: Could not process rule: Invalid argument
add rule ip nat output dnat ip daddr map @outnat
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It looks as though I have a syntax error in the command, but I can't 
find a good example to use as a template. Do I have the syntax wrong, or 
is using a separate set like this not possible?

Thanks,
Steve.

Re: nftables segv while trying to use nat redirection with map

[Pablo Neira Ayuso]

On Mon, Nov 02, 2015 at 11:27:29PM +0000, Steve Horsley wrote:
> Sorry for the delay in answering.
> 
> I installed the development version of Ubuntu 16.10 with proposed updates.
> With this version, nft -v reports version 0.5. My original set of commands
> now works without crashing, so thanks for the advice to try version 0.5.
> 
> However, this set of commands still fails:
> 
> # nft flush ruleset
> # nft add table nat
> # nft add chain nat output { type nat hook output priority 0 \; }
> # nft add map nat outnat {type ipv4_addr : ipv4_addr\; }
> # nft add element nat outnat { 172.16.1.1 : 8.8.8.8 , 172.16.1.2 : 8.8.4.4 }
> # nft add rule ip nat output dnat ip daddr map @outnat
> <cmdline>:1:1-48: Error: Could not process rule: Invalid argument
> add rule ip nat output dnat ip daddr map @outnat
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> It looks as though I have a syntax error in the command, but I can't find a
> good example to use as a template. Do I have the syntax wrong, or is using a
> separate set like this not possible?

This is working here. What kernel version are you using?

This problem is resolved in 4.2.4 and it should be in 4.1.12 too.

Re: nftables segv while trying to use nat redirection with map

[Steve Horsley]

On 03/11/15 12:08, Pablo Neira Ayuso wrote:
> On Mon, Nov 02, 2015 at 11:27:29PM +0000, Steve Horsley wrote:
>> Sorry for the delay in answering.
>>
>> I installed the development version of Ubuntu 16.10 with proposed updates.
>> With this version, nft -v reports version 0.5. My original set of commands
>> now works without crashing, so thanks for the advice to try version 0.5.
>>
>> However, this set of commands still fails:
>>
>> # nft flush ruleset
>> # nft add table nat
>> # nft add chain nat output { type nat hook output priority 0 \; }
>> # nft add map nat outnat {type ipv4_addr : ipv4_addr\; }
>> # nft add element nat outnat { 172.16.1.1 : 8.8.8.8 , 172.16.1.2 : 8.8.4.4 }
>> # nft add rule ip nat output dnat ip daddr map @outnat
>> <cmdline>:1:1-48: Error: Could not process rule: Invalid argument
>> add rule ip nat output dnat ip daddr map @outnat
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> It looks as though I have a syntax error in the command, but I can't find a
>> good example to use as a template. Do I have the syntax wrong, or is using a
>> separate set like this not possible?
> This is working here. What kernel version are you using?
>
> This problem is resolved in 4.2.4 and it should be in 4.1.12 too.
It appears to be version 4.2.0:

steve@steve-desktop:~$ uname -a
Linux steve-desktop 4.2.0-17-generic #21-Ubuntu SMP Fri Oct 23 19:56:16 
UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
steve@steve-desktop:~$

So I guess I have to wait until Ubuntu catches up with current releases, 
hopefully in time for their next release in April. Or I may try Debian 
Sid, which I think is on kernel 4.2.5 at the moment. I don't think we 
will be using Sid in production, but it should be good for testing.

Thank you again for looking at this. I think my questions are fully 
answered now.
Steve.

Re: nftables segv while trying to use nat redirection with map

[Arturo Borrero Gonzalez]

On 3 November 2015 at 19:24, Steve Horsley <steve.horsley@gmail.com> wrote:
>
> So I guess I have to wait until Ubuntu catches up with current releases,
> hopefully in time for their next release in April. Or I may try Debian Sid,
> which I think is on kernel 4.2.5 at the moment. I don't think we will be
> using Sid in production, but it should be good for testing.
>

You may try debian with stable-backports. There the nftables framework
is pretty up-to-date these days (linux 4.2.3 but update to 4.2.5
should happen soon).

-- 
Arturo Borrero Gonz√°lez