blob: 58bb8942720c15f61dee6e742c21e4ecf9ce0420 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/bash
# skeleton
$NFT -f /dev/stdin <<EOF || exit 1
table ip ipfoo {
map x {
type ipv4_addr : ipv4_addr
}
map y {
type ipv4_addr : ipv4_addr . inet_service
elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
}
map z {
type ipv4_addr . inet_service : ipv4_addr . inet_service
elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
meta l4proto tcp dnat to ip saddr map @y
meta l4proto tcp dnat to ip saddr . tcp dport map @z
}
}
EOF
# should fail: rule has no test for l4 protocol
$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1
# skeleton 6
$NFT -f /dev/stdin <<EOF || exit 1
table ip6 ip6foo {
map x {
type ipv6_addr : ipv6_addr
}
map y {
type ipv6_addr : ipv6_addr . inet_service
}
map z {
type ipv6_addr . inet_service : ipv6_addr . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat to ip6 daddr map @x
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
meta l4proto tcp dnat to ip6 saddr map @y
meta l4proto tcp dnat to ip6 saddr . tcp dport map @z
}
}
EOF
# should fail: rule has no test for l4 protocol
$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1
# skeleton inet
$NFT -f /dev/stdin <<EOF || exit 1
table inet inetfoo {
map x4 {
type ipv4_addr : ipv4_addr
}
map y4 {
type ipv4_addr : ipv4_addr . inet_service
}
map z4 {
type ipv4_addr . inet_service : ipv4_addr . inet_service
elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
}
map x6 {
type ipv6_addr : ipv6_addr
}
map y6 {
type ipv6_addr : ipv6_addr . inet_service
}
map z6 {
type ipv6_addr . inet_service : ipv6_addr . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat ip to ip daddr map @x4
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
meta l4proto tcp dnat ip to ip saddr map @y4
meta l4proto tcp dnat ip to ip saddr . tcp dport map @z4
dnat ip6 to ip6 daddr map @x6
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
meta l4proto tcp dnat ip6 to ip6 saddr map @y6
meta l4proto tcp dnat ip6 to ip6 saddr . tcp dport map @z6
}
}
EOF
# should fail: map has wrong family: 4->6
$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1
# should fail: map has wrong family: 6->4
$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1
# should fail: rule has no test for l4 protocol
$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1
# should fail: rule has test for l4 protocol, but map has wrong family: 4->6
$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1
# should fail: rule has test for l4 protocol, but map has wrong family: 6->4
$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1
# fail: inet_service, but expect ipv4_addr
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map a {
type ipv4_addr : inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
# fail: maps to inet_service . inet_service, not addr . service
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map b {
type ipv4_addr : inet_service . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
# fail: only accept exactly two sub-expressions: 'addr . service'
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map b {
type ipv4_addr : inet_addr . inet_service . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
exit 0
|
