summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/optimizations/merge_nat
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: split nat inet testsPablo Neira Ayuso2023-11-221-16/+0
| | | | | | Detach nat inet from existing tests not to reduce test coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: split merge nat optimization in two testsPablo Neira Ayuso2023-11-111-13/+0
| | | | | | | One without pipapo support and another with not to harm existing coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: support for redirect and masqueradePablo Neira Ayuso2023-04-051-0/+7
| | | | | | | | | | | | | | The redirect and masquerade statements can be handled as verdicts: - if redirect statement specifies no ports. - masquerade statement, in any case. Exceptions to the rule: If redirect statement specifies ports, then nat map transformation can be used iif both statements specify ports. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1668 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: infer family for nat mappingPablo Neira Ayuso2023-02-211-0/+16
| | | | | | | | | | | | | | | Infer family from key in nat mapping, otherwise nat mapping via merge breaks since family is not specified. Merging: fw-test-bug2.nft:4:9-78: iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22 fw-test-bug2.nft:5:9-77: iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443 fw-test-bug2.nft:6:9-75: iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80 into: dnat ip to iifname . ip daddr . tcp dport map { enp2s0 . 72.2.3.66 . 53122 : 10.1.1.10 . 22, enp2s0 . 72.2.3.66 . 443 : 10.1.1.52 . 443, enp2s0 . 72.2.3.70 . 80 : 10.1.1.52 . 80 } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1657 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: ignore existing nat mappingPablo Neira Ayuso2023-02-071-0/+1
| | | | | | | | | | | | | | | | User might be already using a nat mapping in their ruleset, use the unsupported statement when collecting statements in this case. # nft -c -o -f ruleset.nft nft: optimize.c:443: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. Aborted The -o/--optimize feature only cares about linear rulesets at this stage, but do not hit assert() in this case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1656 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: select merge criteria based on candidates rulesPablo Neira Ayuso2023-02-061-0/+4
| | | | | | | | | | | | | Select the merge criteria based on the statements that are used in the candidate rules, instead of using the list of statements in the given chain. Update tests to include a rule with a verdict, which triggers the bug described in the bugzilla ticket. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1657 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merge nat rules with same selectors into mapPablo Neira Ayuso2022-05-031-0/+39
Verdict and nat are mutually exclusive, no need to support for this combination. # cat ruleset.nft table ip x { chain y { type nat hook postrouting priority srcnat; policy drop; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } } # nft -o -c -f ruleset.nft Merging: ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 into: snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>