[Bug 1764] New: mapping IPv4 interval to IPv4 interval works for anonymous maps, but not for named maps

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Aug 14 13:21:19 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1764

            Bug ID: 1764
           Summary: mapping IPv4 interval to IPv4 interval works for
                    anonymous maps, but not for named maps
           Product: nftables
           Version: git (please specify your HEAD)
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: karel at unitednetworks.cz

I want to create IPv4 SNAT mapping from interval to interval (SNAT M:N where N
will be different for each interval from M). It looks like this is possible by
using anonymous maps, but not by using named maps. 

System:
********************************
uname -a

Linux karel2 6.10.4-gentoo #1 SMP PREEMPT_DYNAMIC Mon Aug 12 11:07:42 CEST 2024
x86_64 AMD Ryzen 5 8600G w/ Radeon 760M Graphics AuthenticAMD GNU/Linux

cd /usr/src/nftables
git status

HEAD detached at 80258b03
nothing to commit, working tree clean

nft --version

nftables v1.1.0 (Commodore Bullmoose)
********************************

Anonymous map example:
********************************
nft add table t
nft add chain t c { type nat hook postrouting priority srcnat\; }
nft add rule t c snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 }
persistent
nft list ruleset
table ip t {
        chain c {
                type nat hook postrouting priority srcnat; policy accept;
                snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 }
persistent
        }
}
********************************

Named map example:
********************************
nft flush ruleset
nft add table t
nft add chain t c { type nat hook postrouting priority srcnat\; }
nft add map t m { type ipv4_addr: ipv4_addr\; flags interval\; }
nft add rule t c snat ip to ip saddr map @m persistent
nft list ruleset
table ip t {
        map m {
                type ipv4_addr : ipv4_addr
                flags interval
        }

        chain c {
                type nat hook postrouting priority srcnat; policy accept;
                snat to ip saddr map @m persistent
        }
}
nft add element t m { 192.0.2.0/24 : 198.51.100.0/24 }

Error: Value must be a singleton
add element t m { 192.0.2.0/24 : 198.51.100.0/24 }
                                 ^^^^^^^^^^^^^^^
********************************

I am aware of possibility to use verdict maps and dynamically create chains for
each NATed interval, but it looks like unecessary overhead and it should work
directly with named maps if it works with anonymous maps.

Just tried duplicate interval flag, but it did not help:
********************************
nft add map t m1 { type ipv4_addr: ipv4_addr\; flags interval, interval\; }
nft add element t m1 { 192.0.2.0/24 : 198.51.100.0/24 }

Error: Value must be a singleton
add element t m1 { 192.0.2.0/24 : 198.51.100.0/24 }
                                  ^^^^^^^^^^^^^^^
********************************

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240814/cbfcf050/attachment.html>

More information about the netfilter-buglog mailing list