diff options
| author | Jeremy Sowden <jeremy@azazel.net> | 2024-04-29 20:27:53 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-05-20 13:37:54 +0200 |
| commit | c6127ff0c4480ccefc5c29548409898fb315a2ca (patch) | |
| tree | d1c13d8ac36a6013a26dfd80a93608766fefce26 /tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft | |
| parent | 52a7af9bec15a4fb4bfea86e40b70f96098f7dfd (diff) | |
evaluate: add support for variables in map expressions
It is possible to use a variable to initialize a map, which is then used
in a map statement:
define dst_map = { ::1234 : 5678 }
table ip6 nat {
map dst_map {
typeof ip6 daddr : tcp dport;
elements = $dst_map
}
chain prerouting {
ip6 nexthdr tcp redirect to ip6 daddr map @dst_map
}
}
However, if one tries to use the variable directly in the statement:
define dst_map = { ::1234 : 5678 }
table ip6 nat {
chain prerouting {
ip6 nexthdr tcp redirect to ip6 daddr map $dst_map
}
}
nft rejects it:
/space/azazel/tmp/ruleset.1067161.nft:5:47-54: Error: invalid mapping expression variable
ip6 nexthdr tcp redirect to ip6 daddr map $dst_map
~~~~~~~~~ ^^^^^^^^
It also rejects variables in stateful object statements:
define quota_map = { 192.168.10.123 : "user123", 192.168.10.124 : "user124" }
table ip nat {
quota user123 { over 20 mbytes }
quota user124 { over 20 mbytes }
chain prerouting {
quota name ip saddr map $quota_map
}
}
thus:
/space/azazel/tmp/ruleset.1067161.nft:15:29-38: Error: invalid mapping expression variable
quota name ip saddr map $quota_map
~~~~~~~~ ^^^^^^^^^^
Add support for these uses together with some test-cases.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067161
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft')
| -rw-r--r-- | tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft new file mode 100644 index 00000000..e3fab16d --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft @@ -0,0 +1,147 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "x", + "name": "y", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "counter": { + "family": "inet", + "name": "user321", + "table": "x", + "handle": 0, + "packets": 12, + "bytes": 1433 + } + }, + { + "quota": { + "family": "inet", + "name": "user123", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "quota": { + "family": "inet", + "name": "user124", + "table": "x", + "handle": 0, + "bytes": 2000, + "used": 0, + "inv": true + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "counter": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "1.1.1.1", + "user123" + ], + [ + "2.2.2.2", + "user123" + ], + [ + "192.168.2.2", + "user123" + ] + ] + } + } + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "x", + "chain": "y", + "handle": 0, + "expr": [ + { + "quota": { + "map": { + "key": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "data": { + "set": [ + [ + "192.168.2.2", + "user124" + ], + [ + "192.168.2.3", + "user124" + ] + ] + } + } + } + }, + { + "drop": null + } + ] + } + } + ] +} |