optimize: ignore existing nat mapping

author Pablo Neira Ayuso <pablo@netfilter.org>

Tue, 7 Feb 2023 09:53:41 +0000 (10:53 +0100)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Thu, 2 Nov 2023 10:56:19 +0000 (11:56 +0100)
author Pablo Neira Ayuso <pablo@netfilter.org>
Tue, 7 Feb 2023 09:53:41 +0000 (10:53 +0100)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Thu, 2 Nov 2023 10:56:19 +0000 (11:56 +0100)
diff --git a/src/optimize.c b/src/optimize.c

index 48f669c8462cb41c5c7bd2a59789af2675471c22..98977f03f28a7a0e89a68221812b58e62342199b 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -368,6 +368,13 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
                                 clone->log.prefix = expr_get(stmt->log.prefix);
                         break;
                 case STMT_NAT:
+                       if ((stmt->nat.addr &&
+                            stmt->nat.addr->etype == EXPR_MAP) ||
+                           (stmt->nat.proto &&
+                            stmt->nat.proto->etype == EXPR_MAP)) {
+                               clone->ops = &unsupported_stmt_ops;
+                               break;
+                       }
                         clone->nat.type = stmt->nat.type;
                         clone->nat.family = stmt->nat.family;
                         if (stmt->nat.addr)
diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft

index 32423b220ed17ce1f8c1ebcb2f5bd57904b2b73b..96e38ccd798a9093dd8e1661d5c8c0b7cca8a449 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_nat.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
@@ -14,6 +14,7 @@ table ip test3 {
         chain y {
                 oif "lo" accept
                 snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 }
+               oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
         }
  }
  table ip test4 {
diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat

index ec9b239c6f487a5f96cdb1620d2aa893323bf3e0..1484b7d39d48e98af0700fbadc431bf407f842bf 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_nat
+++ b/tests/shell/testcases/optimizations/merge_nat
@@ -27,6 +27,7 @@ RULESET="table ip test3 {
                  oif lo accept
                  ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3
                  ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4
+                oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
          }
  }"
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 7 Feb 2023 09:53:41 +0000 (10:53 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 2 Nov 2023 10:56:19 +0000 (11:56 +0100)
src/optimize.c		patch \| blob \| blame \| history
tests/shell/testcases/optimizations/dumps/merge_nat.nft		patch \| blob \| blame \| history
tests/shell/testcases/optimizations/merge_nat		patch \| blob \| blame \| history