From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, nevola@gmail.com
Subject: Re: [PATCH nft 0/6] allow s/dnat to map to both addr and port
Date: Mon, 24 Feb 2020 19:44:08 +0100 [thread overview]
Message-ID: <20200224184408.baejyxhujwg4rnrt@salvia> (raw)
In-Reply-To: <20200224000324.9333-1-fw@strlen.de>
On Mon, Feb 24, 2020 at 01:03:18AM +0100, Florian Westphal wrote:
> Right now its not possible to use a map with snat/dnat to alter both
> address and port at the same time.
>
> This series teaches nft to accept this:
>
> map y4 {
> type ipv4_addr : ipv4_addr . inet_service
> elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
> }
> meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map @y4
>
> i.e., it allows:
> 1. A mapping that contains a concatenated expression.
> 2. nat expression will peek into set type and detect when
> the mapping is of 'addr + port' type.
> Linearization will compute the register that contains the port
> part of the mapping.
> 3. Delinarization will figure out when this trick was used by looking
> at the length of the mapping: 64 == ipv4addr+service, 160 == ipv6addr+service.
>
> What does not work:
> Anonymous mappings, i.e.
> meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map { 1.2.3.4 : 1.2.3.5 . 53, ..
>
> doesn't work. When evaluating "1.2.3.4", this is still a symbol and
> unlike with named sets, nft doesn't have a properly declared set type.
This is now working, test has been adjusted and it is passing.
> This is similar to the 'maps-on-LHS-side' issue.
> Phil suggested to allow this:
> ... to ip saddr map { type ipv4_addr : ipv4_addr . inet_service; 1.2.3.4 : 1.2.3.5 . 53, ..
>
> i.e. re-use the declarative syntax from map code.
>
> Another related issue:
> "typeof" doesn't work with concatenations so far.
typeof support is still lacking.
next prev parent reply other threads:[~2020-02-24 18:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 0:03 [PATCH nft 0/6] allow s/dnat to map to both addr and port Florian Westphal
2020-02-24 0:03 ` [PATCH nft 1/6] tests: add initial nat map test Florian Westphal
2020-02-24 0:03 ` [PATCH nft 2/6] evaluate: process concat expressions when used as mapped-to expr Florian Westphal
2020-02-24 0:03 ` [PATCH nft 3/6] netlink: handle concatenations on set elements mappings Florian Westphal
2020-02-24 0:03 ` [PATCH nft 4/6] evaluate: add two new helpers Florian Westphal
2020-02-24 0:03 ` [PATCH nft 5/6] src: allow nat maps containing both ip(6) address and port Florian Westphal
2020-02-24 0:03 ` [PATCH nft 6/6] tests: nat: add and use maps with both address and service Florian Westphal
2020-02-24 13:22 ` Pablo Neira Ayuso
2020-02-24 18:44 ` Pablo Neira Ayuso [this message]
2020-02-24 18:47 ` [PATCH nft 0/6] allow s/dnat to map to both addr and port Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200224184408.baejyxhujwg4rnrt@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.