diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-03 17:51:36 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-03 23:45:21 +0200 |
commit | 0a6dbfce6dc30a3bf2ef560f4f4dbccf9b53f1d8 (patch) | |
tree | 539360f8067d63498aad3425ef9f7ab3d9f8e701 /tests/shell/testcases | |
parent | 743b0e81371f0e5a6d70375e8efd7fbe9b00cae7 (diff) |
optimize: merge nat rules with same selectors into map
Verdict and nat are mutually exclusive, no need to support for this
combination.
# cat ruleset.nft
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy drop;
ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
into:
snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
-rw-r--r-- | tests/shell/testcases/optimizations/dumps/merge_nat.nft | 20 | ||||
-rwxr-xr-x | tests/shell/testcases/optimizations/merge_nat | 39 |
2 files changed, 59 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft new file mode 100644 index 00000000..7a6ecb76 --- /dev/null +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -0,0 +1,20 @@ +table ip test1 { + chain y { + dnat to ip saddr map { 4.4.4.4 : 1.1.1.1, 5.5.5.5 : 2.2.2.2 } + } +} +table ip test2 { + chain y { + dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } + } +} +table ip test3 { + chain y { + snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } + } +} +table ip test4 { + chain y { + dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } + } +} diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat new file mode 100755 index 00000000..290cfcfe --- /dev/null +++ b/tests/shell/testcases/optimizations/merge_nat @@ -0,0 +1,39 @@ +#!/bin/bash + +set -e + +RULESET="table ip test1 { + chain y { + ip saddr 4.4.4.4 dnat to 1.1.1.1 + ip saddr 5.5.5.5 dnat to 2.2.2.2 + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test2 { + chain y { + tcp dport 80 dnat to 1.1.1.1:8001 + tcp dport 81 dnat to 2.2.2.2:9001 + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test3 { + chain y { + ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 + ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 + } +}" + +$NFT -o -f - <<< $RULESET + +RULESET="table ip test4 { + chain y { + ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000 + ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000 + } +}" + +$NFT -o -f - <<< $RULESET |