type ipv4_addr : ipv4_addr
}
+ map y {
+ type ipv4_addr : ipv4_addr . inet_service
+ elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+ }
+
+ map z {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+
chain c {
type nat hook prerouting priority dstnat; policy accept;
iifname != "foobar" accept
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat to ip saddr map @y
+ dnat to ip saddr . tcp dport map @z
+ }
+}
+table ip6 ip6foo {
+ map x {
+ type ipv6_addr : ipv6_addr
+ }
+
+ map y {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+
+ map z {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ iifname != "foobar" accept
+ dnat to ip6 daddr map @x
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat to ip6 saddr map @y
+ dnat to ip6 saddr . tcp dport map @z
+ }
+}
+table inet inetfoo {
+ map x4 {
+ type ipv4_addr : ipv4_addr
+ }
+
+ map y4 {
+ type ipv4_addr : ipv4_addr . inet_service
+ }
+
+ map z4 {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+
+ map x6 {
+ type ipv6_addr : ipv6_addr
+ }
+
+ map y6 {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+
+ map z6 {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ iifname != "foobar" accept
+ dnat ip to ip daddr map @x4
+ ip saddr 10.1.1.1 dnat ip to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242
+ meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map @y4
+ meta nfproto ipv4 dnat ip to ip saddr . tcp dport map @z4
+ dnat ip6 to ip6 daddr map @x6
+ ip6 saddr dead::1 dnat ip6 to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242
+ meta l4proto tcp meta nfproto ipv6 dnat ip6 to ip6 saddr map @y6
+ meta nfproto ipv6 dnat ip6 to ip6 saddr . tcp dport map @z6
}
}
map x {
type ipv4_addr : ipv4_addr
}
+ map y {
+ type ipv4_addr : ipv4_addr . inet_service
+ elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+ }
+ map z {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
chain c {
type nat hook prerouting priority dstnat; policy accept;
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat to ip saddr map @y
+ meta l4proto tcp dnat to ip saddr . tcp dport map @z
}
}
EOF
# should fail: rule has no test for l4 protocol
$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1
+
+# skeleton 6
+$NFT -f /dev/stdin <<EOF || exit 1
+table ip6 ip6foo {
+ map x {
+ type ipv6_addr : ipv6_addr
+ }
+ map y {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+ map z {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta iifname != "foobar" accept
+ dnat to ip6 daddr map @x
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat to ip6 saddr map @y
+ meta l4proto tcp dnat to ip6 saddr . tcp dport map @z
+ }
+}
+EOF
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1
+
+# skeleton inet
+$NFT -f /dev/stdin <<EOF || exit 1
+table inet inetfoo {
+ map x4 {
+ type ipv4_addr : ipv4_addr
+ }
+ map y4 {
+ type ipv4_addr : ipv4_addr . inet_service
+ }
+ map z4 {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+ map x6 {
+ type ipv6_addr : ipv6_addr
+ }
+ map y6 {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+ map z6 {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta iifname != "foobar" accept
+ dnat ip to ip daddr map @x4
+ ip saddr 10.1.1.1 dnat to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat ip to ip saddr map @y4
+ meta l4proto tcp dnat ip to ip saddr . tcp dport map @z4
+ dnat ip6 to ip6 daddr map @x6
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat ip6 to ip6 saddr map @y6
+ meta l4proto tcp dnat ip6 to ip6 saddr . tcp dport map @z6
+ }
+}
+EOF
+
# should fail: map has wrong family: 4->6
$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1
projects / thirdparty / nftables.git / commitdiff
