From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables portmap map
Date: Mon, 23 Dec 2024 13:51:51 +0100 [thread overview]
Message-ID: <20241223125151.GA7005@breakpoint.cc> (raw)
In-Reply-To: <CABhP=tZtzqX8vfL5zdqxx6sdZWT56iWAhW35-=U8Z16HZBs-ug@mail.gmail.com>
Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> in kubernetes there is a feature called HostPorts for Pods, that
> basically it is just implementing DNAT from the current host
> HostIP:Protocol:Port to one Container IP and Port
>
> If I understand correctly the documentation and following this
> stackoverflow answer
> https://unix.stackexchange.com/questions/745265/nftables-dnat-with-source-address-restriction-and-just-one-map,
> I can implement this with just one map, that should be something like
> this for IPv4 and IPv6
>
> > "ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service"
> > "ipv6_addr . inet_proto . inet_service : ipv6_addr . inet_service"
>
> In my prototype I can create the maps correctly and add elements to it
> so I think that part is ok
>
> > nft add map inet cni-kindnet hostport-map-v4 { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service \; flags interval \; }
>
> The problem comes when I try to set up the rule to use the map, this
> is the rule I'm using but it fails to be inserted, there is also no
> clear message on the output, it just fails silently with an exit code
> 1.
>
> > nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4
>
> I also tried without success
>
> > inet cni-kindnet prerouting dnat to ip daddr . meta l4proto . th
> dport map @hostport-map-v4
>
> See execution with debug=all attached
>
> My system info is
>
> nft -V
> nftables v1.0.6 (Lester Gooch #5)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
Strange, this version does work for me.
table inet cni-kindnet {
map hostport-map-v4 {
type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
flags interval
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
dnat ip to ip daddr . ip protocol . th dport map @hostport-map-v4
}
}
next prev parent reply other threads:[~2024-12-23 13:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-23 11:08 nftables portmap map Antonio Ojea
2024-12-23 12:51 ` Florian Westphal [this message]
2024-12-23 14:34 ` Antonio Ojea
2024-12-23 15:02 ` Antonio Ojea
2024-12-23 16:15 ` Florian Westphal
2024-12-28 9:20 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241223125151.GA7005@breakpoint.cc \
--to=fw@strlen.de \
--cc=antonio.ojea.garcia@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox