diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-04 15:30:21 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-05 15:57:17 +0200 |
commit | 053566f71a28e9afc792d222a6fd7b55f7d8f4a0 (patch) | |
tree | 1b763931e110f2e10baba9a760c9ee668a707115 /tests/shell/testcases | |
parent | f3b27274bfdb75dc29301bdd537ee6fec6d4e7c1 (diff) |
optimize: support for redirect and masquerade
The redirect and masquerade statements can be handled as verdicts:
- if redirect statement specifies no ports.
- masquerade statement, in any case.
Exceptions to the rule: If redirect statement specifies ports, then nat
map transformation can be used iif both statements specify ports.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1668
Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
-rw-r--r-- | tests/shell/testcases/optimizations/dumps/merge_nat.nft | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/optimizations/merge_nat | 7 |
2 files changed, 11 insertions, 0 deletions
diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft index dd17905d..48d18a67 100644 --- a/tests/shell/testcases/optimizations/dumps/merge_nat.nft +++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft @@ -8,6 +8,7 @@ table ip test2 { chain y { oif "lo" accept dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 } + ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade } } table ip test3 { @@ -15,12 +16,15 @@ table ip test3 { oif "lo" accept snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 } oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport { 8888, 9999 } redirect } } table ip test4 { chain y { oif "lo" accept dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 } + redirect to :tcp dport map { 83 : 8083, 84 : 8084 } + tcp dport 85 redirect } } table inet nat { diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat index edf7f4c4..3a57d940 100755 --- a/tests/shell/testcases/optimizations/merge_nat +++ b/tests/shell/testcases/optimizations/merge_nat @@ -17,6 +17,8 @@ RULESET="table ip test2 { oif lo accept tcp dport 80 dnat to 1.1.1.1:8001 tcp dport 81 dnat to 2.2.2.2:9001 + ip saddr 10.141.11.0/24 masquerade + ip saddr 10.141.13.0/24 masquerade } }" @@ -28,6 +30,8 @@ RULESET="table ip test3 { ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3 ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4 oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 } + tcp dport 8888 redirect + tcp dport 9999 redirect } }" @@ -38,6 +42,9 @@ RULESET="table ip test4 { oif lo accept ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000 ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000 + tcp dport 83 redirect to :8083 + tcp dport 84 redirect to :8084 + tcp dport 85 redirect } }" |