diff options
author | Phil Sutter <phil@nwl.cc> | 2019-04-02 15:36:42 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-04-03 19:59:34 +0200 |
commit | 3b29acc8f29944c5cf34259f2e2b5b40b4d0ccdd (patch) | |
tree | 89f574a0ec8cb643629de006b8f0a01e5c117767 | |
parent | 50b5b71ebeee33b725d44ab4487d5d257f9ca4c0 (diff) |
doc: Add minimal description of (v)map statements
Although quite useful, these were missing in man page. Content loosely
based on wiki documentation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | doc/statements.txt | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index 0687f53f..754040bc 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -564,3 +564,37 @@ nft list set ip filter blackhole # manually add two addresses to the set: nft add element filter blackhole { 10.2.3.4, 10.23.1.42 } ----------------------------------------------- + +MAP STATEMENT +~~~~~~~~~~~~~ +The map statement is used to lookup data based on some specific input key. + +[verse] +'expression' *map* *{* 'key' *:* 'value' [*,* 'key' *:* 'value' ...] *}* + +.Using the map statement +------------------------ +# select DNAT target based on TCP dport: +# connections to port 80 are redirected to 192.168.1.100, +# connections to port 8888 are redirected to 192.168.1.101 +nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 } + +# source address based SNAT: +# packets from net 192.168.1.0/24 will appear as originating from 10.0.0.1, +# packets from net 192.168.2.0/24 will appear as originating from 10.0.0.2 +nft add rule ip nat postrouting snat to ip saddr map { 192.168.1.0/24 : 10.0.0.1, 192.168.2.0/24 : 10.0.0.2 } +------------------------ + +VMAP STATEMENT +~~~~~~~~~~~~~~ +The verdict map (vmap) statement works analogous to the map statement, but +contains verdicts as values. + +[verse] +'expression' *vmap* *{* 'key' *:* 'verdict' [*,* 'key' *:* 'verdict' ...] *}* + +.Using the vmap statement +------------------------- +# jump to different chains depending on layer 4 protocol type: +nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain } +------------------------ |