<html>
<head>
<base href="https://bugzilla.netfilter.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - mapping IPv4 interval to IPv4 interval works for anonymous maps, but not for named maps"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1764">1764</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>mapping IPv4 interval to IPv4 interval works for anonymous maps, but not for named maps
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>git (please specify your HEAD)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>karel@unitednetworks.cz
</td>
</tr></table>
<p>
<div>
<pre>I want to create IPv4 SNAT mapping from interval to interval (SNAT M:N where N
will be different for each interval from M). It looks like this is possible by
using anonymous maps, but not by using named maps.
System:
********************************
uname -a
Linux karel2 6.10.4-gentoo #1 SMP PREEMPT_DYNAMIC Mon Aug 12 11:07:42 CEST 2024
x86_64 AMD Ryzen 5 8600G w/ Radeon 760M Graphics AuthenticAMD GNU/Linux
cd /usr/src/nftables
git status
HEAD detached at 80258b03
nothing to commit, working tree clean
nft --version
nftables v1.1.0 (Commodore Bullmoose)
********************************
Anonymous map example:
********************************
nft add table t
nft add chain t c { type nat hook postrouting priority srcnat\; }
nft add rule t c snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 }
persistent
nft list ruleset
table ip t {
chain c {
type nat hook postrouting priority srcnat; policy accept;
snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 }
persistent
}
}
********************************
Named map example:
********************************
nft flush ruleset
nft add table t
nft add chain t c { type nat hook postrouting priority srcnat\; }
nft add map t m { type ipv4_addr: ipv4_addr\; flags interval\; }
nft add rule t c snat ip to ip saddr map @m persistent
nft list ruleset
table ip t {
map m {
type ipv4_addr : ipv4_addr
flags interval
}
chain c {
type nat hook postrouting priority srcnat; policy accept;
snat to ip saddr map @m persistent
}
}
nft add element t m { 192.0.2.0/24 : 198.51.100.0/24 }
Error: Value must be a singleton
add element t m { 192.0.2.0/24 : 198.51.100.0/24 }
^^^^^^^^^^^^^^^
********************************
I am aware of possibility to use verdict maps and dynamically create chains for
each NATed interval, but it looks like unecessary overhead and it should work
directly with named maps if it works with anonymous maps.
Just tried duplicate interval flag, but it did not help:
********************************
nft add map t m1 { type ipv4_addr: ipv4_addr\; flags interval, interval\; }
nft add element t m1 { 192.0.2.0/24 : 198.51.100.0/24 }
Error: Value must be a singleton
add element t m1 { 192.0.2.0/24 : 198.51.100.0/24 }
^^^^^^^^^^^^^^^
********************************</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>