diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-02-17 15:10:44 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-02-28 15:42:26 +0100 |
| commit | ddb962604cda323f15589f3b424c4618db7494de (patch) | |
| tree | 144b1b7fccf90185aad132a58377dc886f132ee0 /tests/shell/testcases/sets/0067nat_concat_interval_0 | |
| parent | 3975430b12d97c92cdf03753342f2269153d5624 (diff) | |
evaluate: expand value to range when nat mapping contains intervals
If the data in the mapping contains a range, then upgrade value to range.
Otherwise, the following error is displayed:
/dev/stdin:11:57-75: Error: Could not process rule: Invalid argument
dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
^^^^^^^^^^^^^^^^^^^
The kernel rejects this command because userspace sends a single value
while the kernel expects the range that represents the min and the max
IP address to be used for NAT. The upgrade is also done when concatenation
with intervals is used in the rhs of the mapping.
For anonymous sets, expansion cannot be done from expr_evaluate_mapping()
because the EXPR_F_INTERVAL flag is inferred from the elements. For
explicit sets, this can be done from expr_evaluate_mapping() because the
user already specifies the interval flag in the rhs of the map definition.
Update tests/shell and tests/py to improve testing coverage in this case.
Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps")
Fixes: 66746e7dedeb ("src: support for nat with interval concatenation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/sets/0067nat_concat_interval_0')
| -rwxr-xr-x | tests/shell/testcases/sets/0067nat_concat_interval_0 | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0 index 530771b0..55cc0d4b 100755 --- a/tests/shell/testcases/sets/0067nat_concat_interval_0 +++ b/tests/shell/testcases/sets/0067nat_concat_interval_0 @@ -42,3 +42,30 @@ EXPECTED="table ip nat { $NFT -f - <<< $EXPECTED $NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th + +EXPECTED="table ip nat { + map ipportmap4 { + typeof iifname . ip saddr : interval ip daddr + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + dnat to iifname . ip saddr map @ipportmap4 + } +}" + +$NFT -f - <<< $EXPECTED +EXPECTED="table ip nat { + map ipportmap5 { + typeof iifname . ip saddr : interval ip daddr . tcp dport + flags interval + elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5 + } +}" + +$NFT -f - <<< $EXPECTED |