[Bug 1410] STATELESS, rules with notrack into a map

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Apr 16 10:20:41 CEST 2020


https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to e.lohmann from comment #2)
> Hi Pablo,
> 
> thanks for your answer. No, what I like to do in RAW is the same I do in NAT
> Pre/Post.
> 
> dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
> 
> This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite
> destination address to 2.2.2.2 and so on.

This rule represents the stateless dnat that you are asking for:

nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

This reads as: set IP destination address based on the map lookup.

This maps lookup takes packets sent to IP address 1.1.1.1 and it returns
2.2.2.2, which is used to rewrite the UP destionation.

> snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> 
> This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> rewrite source address to 1.1.1.1 and so on.

nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

Similar rule as above, but "ip saddr set" is used.

[...]
> Right now there is no way to create a map in raw and do address rewrite.

Did you give a try to the examples above?

Thank you.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/76086a45/attachment.html>


More information about the netfilter-buglog mailing list