map problem with port range

map problem with port range

[Daniel]

Hi list

nft 1.02 I have following map configuration:

map forward_udp.lan {
     type ipv6_addr . inet_service : interval ipv6_addr . inet_service
     flags interval
     elements = { 2001:db8::1 . 20000-24999 : 2001:db8:16e:10::ffee . 
20000-24999 }
}

ip6 chain prerouting

add rule ip6 nat prerouting ip6 daddr . udp dport map @forward_udp.lan

but I get a syntax error, unexpected newline

Where is my mistake ?

-- 
Daniel

Re: map problem with port range

[Pablo Neira Ayuso]

On Tue, Oct 31, 2023 at 07:38:30PM +0100, Daniel wrote:
> Hi list
> 
> nft 1.02 I have following map configuration:
> 
> map forward_udp.lan {
>     type ipv6_addr . inet_service : interval ipv6_addr . inet_service
>     flags interval
>     elements = { 2001:db8::1 . 20000-24999 : 2001:db8:16e:10::ffee .
> 20000-24999 }
> }
> 
> ip6 chain prerouting
> 
> add rule ip6 nat prerouting ip6 daddr . udp dport map @forward_udp.lan

What is your intention with this rule?

Are you looking up for a matching packet in this map using

        ip6 daddr . udp dport

as key?

Re: map problem with port range

[Daniel]

Le 01/11/2023 à 09:32, Pablo Neira Ayuso a écrit :
> On Tue, Oct 31, 2023 at 07:38:30PM +0100, Daniel wrote:
>> Hi list
>>
>> nft 1.02 I have following map configuration:
>>
>> map forward_udp.lan {
>>      type ipv6_addr . inet_service : interval ipv6_addr . inet_service
>>      flags interval
>>      elements = { 2001:db8::1 . 20000-24999 : 2001:db8:16e:10::ffee .
>> 20000-24999 }
>> }
>>
>> ip6 chain prerouting
>>
>> add rule ip6 nat prerouting ip6 daddr . udp dport map @forward_udp.lan
> What is your intention with this rule?
>
> Are you looking up for a matching packet in this map using
>
>          ip6 daddr . udp dport
>
> as key?
Yes. dport 20000-24999 to 2001:db8::1 should be forwarded du same port 
range at 2001:db8:16e:10::ffee

-- 
Daniel

Re: map problem with port range

[Pablo Neira Ayuso]

Then, this:

  table inet filter {
        map forward_udp.lan {
             type ipv6_addr . inet_service : interval ipv6_addr . inet_service
             flags interval
             elements = { 2001:db8::1 . 20000-24999 : 2001:db8:16e:10::ffee . 20000-24999 }
        }

        chain y {
                ip6 daddr . udp dport @forward_udp.lan
        }
  }

Note that you require a Linux kernel >= 6.4 which contains this fix:

commit a4878eeae39048e6abe85891c714b49dc13fc08c
Author: Florian Westphal <fw@strlen.de>
Date:   Fri May 12 14:19:47 2023 +0200

    netfilter: nf_tables: relax set/map validation checks

Probably there is a chance to request to enqueue this for -stable,
because a simple look up on a map is something that should be working
since day 0.


No 'map' keyword, such keyword is only required when you want to make a
map lookup, e.g.

        dnat ip6 to ip6 daddr . udp dport map @forward_udp.lan
                    ^^^^^^^^^^^^^^^^^^^^^

then you make a map lookup using the key above.