Error: conflicting intervals specified - Bullseye 0.9.8

Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Hi,

I get the following error with the above nft version, lan being the 
interface name:

add element ip6 nat fwdtoip_tcp.lan { 1-65534 : 2001:db8:27b:10:ff9b::, 
1-65534 : 2001:db8:27b:ff9b::c0a8:ad1}

with

add map ipv6_addr nat fwdtoip_tcp.lan { type inet_service : ipv6_addr\; 
flags interval\; }

What's wrong here ? My goal being to redirect all (or range ports) 
external traffic to another server.

Thanks for any hint
-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Pablo Neira Ayuso]

On Wed, Sep 08, 2021 at 11:33:02AM +0200, Daniel wrote:
> Hi,
> 
> I get the following error with the above nft version, lan being the
> interface name:
> 
> add element ip6 nat fwdtoip_tcp.lan { 1-65534 : 2001:db8:27b:10:ff9b::,
> 1-65534 : 2001:db8:27b:ff9b::c0a8:ad1}
> 
> with
> 
> add map ipv6_addr nat fwdtoip_tcp.lan { type inet_service : ipv6_addr\;
> flags interval\; }
> 
> What's wrong here ? My goal being to redirect all (or range ports) external
> traffic to another server.

Could you develop what your use-case is?

Keys uniquely identify an entry in a map, if you define two entries
with the same key, you hit this conflict interval error.

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Hello

Le 16/09/2021 à 11:29, Pablo Neira Ayuso a écrit :
> On Wed, Sep 08, 2021 at 11:33:02AM +0200, Daniel wrote:
>> Hi,
>>
>> I get the following error with the above nft version, lan being the
>> interface name:
>>
>> add element ip6 nat fwdtoip_tcp.lan { 1-65534 : 2001:db8:27b:10:ff9b::,
>> 1-65534 : 2001:db8:27b:ff9b::c0a8:ad1}
>>
>> with
>>
>> add map ipv6_addr nat fwdtoip_tcp.lan { type inet_service : ipv6_addr\;
>> flags interval\; }
>>
>> What's wrong here ? My goal being to redirect all (or range ports) external
>> traffic to another server.
> Could you develop what your use-case is?
The above example says -in my mind ;)- that everything coming from 
outside on ip

2001:db8:27b:10:ff9b:: should be redirect (symmetrical) to ip 2001:db8:27b:ff9b::c0a8:ad1

>
> Keys uniquely identify an entry in a map, if you define two entries
> with the same key, you hit this conflict interval error.
I see this like forward port:ip to port:anotherip

-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Pablo Neira Ayuso]

On Thu, Sep 16, 2021 at 01:27:44PM +0200, Daniel wrote:
> Hello
> 
> Le 16/09/2021 à 11:29, Pablo Neira Ayuso a écrit :
> > On Wed, Sep 08, 2021 at 11:33:02AM +0200, Daniel wrote:
> > > Hi,
> > > 
> > > I get the following error with the above nft version, lan being the
> > > interface name:
> > > 
> > > add element ip6 nat fwdtoip_tcp.lan { 1-65534 : 2001:db8:27b:10:ff9b::,
> > > 1-65534 : 2001:db8:27b:ff9b::c0a8:ad1}
> > > 
> > > with
> > > 
> > > add map ipv6_addr nat fwdtoip_tcp.lan { type inet_service : ipv6_addr\;
> > > flags interval\; }
> > > 
> > > What's wrong here ? My goal being to redirect all (or range ports) external
> > > traffic to another server.
> > Could you develop what your use-case is?
>
> The above example says -in my mind ;)- that everything coming from outside
> on ip
> 
> 2001:db8:27b:10:ff9b:: should be redirect (symmetrical) to ip 2001:db8:27b:ff9b::c0a8:ad1
>
> > Keys uniquely identify an entry in a map, if you define two entries
> > with the same key, you hit this conflict interval error.
>
> I see this like forward port:ip to port:anotherip

so you want to redirect all ports except a few of them?

  add map x mymap { type ipv4_addr : ipv4_addr ; }
  add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap

This allows you to dnat depending on the IP source address, skipping 0
and 65535 for TCP and UDP.

I'm not sure yet if this is what you need though

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Le 16/09/2021 à 14:58, Pablo Neira Ayuso a écrit :

[...]
> Keys uniquely identify an entry in a map, if you define two entries
>>> with the same key, you hit this conflict interval error.
>> I see this like forward port:ip to port:anotherip
> so you want to redirect all ports except a few of them?
>
>    add map x mymap { type ipv4_addr : ipv4_addr ; }
>    add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap
>
> This allows you to dnat depending on the IP source address, skipping 0
> and 65535 for TCP and UDP.
>
> I'm not sure yet if this is what you need though
That's my goal,  thanks !

-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Le 16/09/2021 à 14:58, Pablo Neira Ayuso a écrit :
> [...]
> so you want to redirect all ports except a few of them?
>
>    add map x mymap { type ipv4_addr : ipv4_addr ; }
>    add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap
>
> This allows you to dnat depending on the IP source address, skipping 0
> and 65535 for TCP and UDP.

I don't get I so lets be more explicite with an example.

I want to redirect udp port 10000-20000 to another IP (typically 
asterisk RTP ports from host to a VM) What I have today which work with 
single ports (bash script, yes I know ;))

     $fwtables add map $1 nat fwdtoip_tcp.$IFACE { type inet_service : 
$mytype\; flags interval\; }
     $fwtables add map $1 nat fwdtoip_udp.$IFACE { type inet_service : 
$mytype\; flags interval\; }
     $fwtables add map $1 nat fwdtoport_tcp.$IFACE { type inet_service : 
inet_service\; flags interval\;}
     $fwtables add map $1 nat fwdtoport_udp.$IFACE { type inet_service : 
inet_service\; flags interval\;}
     $fwtables add map $1 nat redirect_tcp.$IFACE { type inet_service : 
inet_service\; flags interval\;}
     $fwtables add map $1 nat redirect_udp.$IFACE { type inet_service : 
inet_service\; flags interval\;}

where $1 is ip or ip6, $mytype is ipv4_addr or ipv6_addr

Then from a list of ports I extract each value -including ranges like 
above exemple- and do

If src address != to dst address
$fwtables add element $1 nat fwdtoip_$myproto.$IFACE { $tmpsport : 
$mydaddr }
$fwtables add element $1 nat fwdtoport_$myproto.$IFACE { $tmpsport : 
$tmpdport } ; this is not accepted when a range is given like 10000-20000

If src address = dst address
$fwtables add element $1 nat redirect_$myproto.$IFACE { $tmpsport : 
$tmpdport }

where $1 is ip or ip6, $myproto is udp or tcp, $tmpsport port or range 
of port to redirect, $myaddr is destination ip. $tmpdport can be equal 
or a different value from $tmpsport

Finally rules

$fwtables add rule ip nat prerouting ip daddr == $myaddripv4 dnat tcp 
dport map @fwdtoip_tcp.$IFACE : tcp dport map @fwdtoport_tcp.$IFACE
$fwtables add rule ip nat prerouting ip daddr == $myaddripv4 dnat udp 
dport map @fwdtoip_udp.$IFACE : udp dport map @fwdtoport_udp.$IFACE
$fwtables add rule ip nat prerouting ip daddr == $myaddripv4 meta 
l4proto tcp dnat to : tcp dport map @redirect_tcp.$IFACE
$fwtables add rule ip nat prerouting ip daddr == $myaddripv4 meta 
l4proto udp dnat to : udp dport map @redirect_udp.$IFACE

This works perfectly with single ports but as soon as I want to redirect 
a range of ports it fail.

Where is my mistake ? Is it to complicate to achieve something which 
should be easy ?

Thanks for your support and ideas

-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Pablo Neira Ayuso]

On Fri, Sep 17, 2021 at 12:18:12PM +0200, Daniel wrote:
> Le 16/09/2021 à 14:58, Pablo Neira Ayuso a écrit :
> > [...]
> > so you want to redirect all ports except a few of them?
> > 
> >    add map x mymap { type ipv4_addr : ipv4_addr ; }
> >    add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap
> > 
> > This allows you to dnat depending on the IP source address, skipping 0
> > and 65535 for TCP and UDP.
> 
> I don't get I so lets be more explicite with an example.
> 
> I want to redirect udp port 10000-20000 to another IP (typically asterisk
> RTP ports from host to a VM) What I have today which work with single ports
> (bash script, yes I know ;))
> 
>     nft add map $1 nat fwdtoip_tcp.$IFACE { type inet_service :
> $mytype\; flags interval\; }
>     nft add map $1 nat fwdtoip_udp.$IFACE { type inet_service :
> $mytype\; flags interval\; }
>     nft add map $1 nat fwdtoport_tcp.$IFACE { type inet_service :
> inet_service\; flags interval\;}
>     nft add map $1 nat fwdtoport_udp.$IFACE { type inet_service :
> inet_service\; flags interval\;}
>     nft add map $1 nat redirect_tcp.$IFACE { type inet_service :
> inet_service\; flags interval\;}
>     nft add map $1 nat redirect_udp.$IFACE { type inet_service :
> inet_service\; flags interval\;}
> 
> where $1 is ip or ip6, $mytype is ipv4_addr or ipv6_addr
> 
> Then from a list of ports I extract each value -including ranges like above
> exemple- and do
> 
> If src address != to dst address
> nft add element $1 nat fwdtoip_$myproto.$IFACE { $tmpsport : $mydaddr
> }
> nft add element $1 nat fwdtoport_$myproto.$IFACE { $tmpsport :
> $tmpdport } ; this is not accepted when a range is given like 10000-20000
> 
> If src address = dst address
> nft add element $1 nat redirect_$myproto.$IFACE { $tmpsport :
> $tmpdport }
> 
> where $1 is ip or ip6, $myproto is udp or tcp, $tmpsport port or range of
> port to redirect, $myaddr is destination ip. $tmpdport can be equal or a
> different value from $tmpsport
> 
> Finally rules
> 
> nft add rule ip nat prerouting ip daddr == $myaddripv4 dnat tcp dport
> map @fwdtoip_tcp.$IFACE : tcp dport map @fwdtoport_tcp.$IFACE
> nft add rule ip nat prerouting ip daddr == $myaddripv4 dnat udp dport
> map @fwdtoip_udp.$IFACE : udp dport map @fwdtoport_udp.$IFACE
> nft add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto
> tcp dnat to : tcp dport map @redirect_tcp.$IFACE
> nft add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto
> udp dnat to : udp dport map @redirect_udp.$IFACE
> 
> This works perfectly with single ports but as soon as I want to redirect a
> range of ports it fail.
> 
> Where is my mistake ? Is it to complicate to achieve something which should
> be easy ?

You require nftables 1.0.0 for the snippet below:

table ip nat {
        map fwdtoip_th {
                type ipv4_addr . inet_service : interval ipv4_addr . inet_service
                flags interval
                elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th
        }
}

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Hi Pablo,

sorry for delay, I had to install 1.0.0 from snap on my Ubuntu 20.04.

Le 21/09/2021 à 02:13, Pablo Neira Ayuso a écrit :
> On Fri, Sep 17, 2021 at 12:18:12PM +0200, Daniel wrote:
>> Le 16/09/2021 à 14:58, Pablo Neira Ayuso a écrit :
>>> [...]
>>> so you want to redirect all ports except a few of them?
>>>
>>>     add map x mymap { type ipv4_addr : ipv4_addr ; }
>>>     add rule x y ip protocol { tcp, udp } th dport 1-65534 dnat to ip saddr map @mymap
>>>
>>> This allows you to dnat depending on the IP source address, skipping 0
>>> and 65535 for TCP and UDP.
>> I don't get I so lets be more explicite with an example.
>>
>> I want to redirect udp port 10000-20000 to another IP (typically asterisk
>> RTP ports from host to a VM) What I have today which work with single ports
>> (bash script, yes I know ;))
>>
>>      nft add map $1 nat fwdtoip_tcp.$IFACE { type inet_service :
>> $mytype\; flags interval\; }
>>      nft add map $1 nat fwdtoip_udp.$IFACE { type inet_service :
>> $mytype\; flags interval\; }
>>      nft add map $1 nat fwdtoport_tcp.$IFACE { type inet_service :
>> inet_service\; flags interval\;}
>>      nft add map $1 nat fwdtoport_udp.$IFACE { type inet_service :
>> inet_service\; flags interval\;}
>>      nft add map $1 nat redirect_tcp.$IFACE { type inet_service :
>> inet_service\; flags interval\;}
>>      nft add map $1 nat redirect_udp.$IFACE { type inet_service :
>> inet_service\; flags interval\;}
>>
>> where $1 is ip or ip6, $mytype is ipv4_addr or ipv6_addr
>>
>> Then from a list of ports I extract each value -including ranges like above
>> exemple- and do
>>
>> If src address != to dst address
>> nft add element $1 nat fwdtoip_$myproto.$IFACE { $tmpsport : $mydaddr
>> }
>> nft add element $1 nat fwdtoport_$myproto.$IFACE { $tmpsport :
>> $tmpdport } ; this is not accepted when a range is given like 10000-20000
>>
>> If src address = dst address
>> nft add element $1 nat redirect_$myproto.$IFACE { $tmpsport :
>> $tmpdport }
>>
>> where $1 is ip or ip6, $myproto is udp or tcp, $tmpsport port or range of
>> port to redirect, $myaddr is destination ip. $tmpdport can be equal or a
>> different value from $tmpsport
>>
>> Finally rules
>>
>> nft add rule ip nat prerouting ip daddr == $myaddripv4 dnat tcp dport
>> map @fwdtoip_tcp.$IFACE : tcp dport map @fwdtoport_tcp.$IFACE
>> nft add rule ip nat prerouting ip daddr == $myaddripv4 dnat udp dport
>> map @fwdtoip_udp.$IFACE : udp dport map @fwdtoport_udp.$IFACE
>> nft add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto
>> tcp dnat to : tcp dport map @redirect_tcp.$IFACE
>> nft add rule ip nat prerouting ip daddr == $myaddripv4 meta l4proto
>> udp dnat to : udp dport map @redirect_udp.$IFACE
>>
>> This works perfectly with single ports but as soon as I want to redirect a
>> range of ports it fail.
>>
>> Where is my mistake ? Is it to complicate to achieve something which should
>> be easy ?
> You require nftables 1.0.0 for the snippet below:
>
> table ip nat {
>          map fwdtoip_th {
>                  type ipv4_addr . inet_service : interval ipv4_addr . inet_service
>                  flags interval
>                  elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
>          }
>
>          chain prerouting {
>                  type nat hook prerouting priority dstnat; policy accept;
>                  meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th
>          }
> }

I can't get it, map is OK but creating rule fail

map in nat prerouting:

map fwdtoip_th {
         type ipv4_addr . inet_service : interval ipv4_addr . inet_service
         flags interval
         elements = { 192.168.10.24 . 58194-58198 : 192.168.10.254 . 
58194-58198 }
     }

Now I add the rule

sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
daddr . th dport map @fwdtoip_th ; from your example

and error is

Error: datatype mismatch: expected IPv4 address, expression has type 
concatenation of (IPv4 address, internet network service)
add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . 
th dport map @fwdtoip_th

OK, after to ip should be the daddr so I insert it

sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
daddr daddr . th dport map @fwdtoip_th

and error is

Error: syntax error, unexpected newline
add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr 
daddr . th dport map @fwdtoip_th

What's wrong ?

Thanks for your help

-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Daniel]

Le 28/09/2021 à 13:05, Daniel a écrit :
> Hi Pablo,
> 
> sorry for delay, I had to install 1.0.0 from snap on my Ubuntu 20.04.
> 
> Le 21/09/2021 à 02:13, Pablo Neira Ayuso a écrit :
> [...]
>> You require nftables 1.0.0 for the snippet below:
>>
>> table ip nat {
>>          map fwdtoip_th {
>>                  type ipv4_addr . inet_service : interval ipv4_addr . 
>> inet_service
>>                  flags interval
>>                  elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 
>> 30000-40000 }
>>          }
>>
>>          chain prerouting {
>>                  type nat hook prerouting priority dstnat; policy accept;
>>                  meta l4proto { tcp, udp } dnat to ip daddr . th dport 
>> map @fwdtoip_th
>>          }
>> }
> 
> I can't get it, map is OK but creating rule fail
> 
> map in nat prerouting:
> 
> map fwdtoip_th {
>          type ipv4_addr . inet_service : interval ipv4_addr . inet_service
>          flags interval
>          elements = { 192.168.10.24 . 58194-58198 : 192.168.10.254 . 
> 58194-58198 }
>      }
> 
> Now I add the rule
> 
> sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
> daddr . th dport map @fwdtoip_th ; from your example
> 
> and error is
> 
> Error: datatype mismatch: expected IPv4 address, expression has type 
> concatenation of (IPv4 address, internet network service)
> add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . 
> th dport map @fwdtoip_th
> 
> OK, after to ip should be the daddr so I insert it
> 
> sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
> daddr daddr . th dport map @fwdtoip_th
> 
> and error is
> 
> Error: syntax error, unexpected newline
> add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr 
> daddr . th dport map @fwdtoip_th

Something is wrong when calling a named map (in this case). If I do

sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
daddr . th dport map { 192.168.10.24 . 10000-20000 : 192.168.10.254 . 
3000-40000 }

everything is fine. But if I call the map like

sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip 
daddr . th dport map @fwdtoip_th

I get

Error: datatype mismatch: expected IPv4 address, expression has type 
concatenation of (IPv4 address, internet network service)
add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . 
th dport map @fwdtoip_th

Expression recognize that map is a concatenation but not that the "to ip 
daddr . th dport" should also be treated as concatenation
-- 
Daniel

Re: Error: conflicting intervals specified - Bullseye 0.9.8

[Pablo Neira Ayuso]

On Tue, Sep 28, 2021 at 02:41:57PM +0200, Daniel wrote:
> Le 28/09/2021 à 13:05, Daniel a écrit :
[...]
> everything is fine. But if I call the map like
> 
> sudo nft add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip
> daddr . th dport map @fwdtoip_th
> 
> I get
> 
> Error: datatype mismatch: expected IPv4 address, expression has type
> concatenation of (IPv4 address, internet network service)
> add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th
> dport map @fwdtoip_th
> 
> Expression recognize that map is a concatenation but not that the "to ip
> daddr . th dport" should also be treated as concatenation

Fix: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210928205543.368551-1-pablo@netfilter.org/