blob: e53838a32262bc832225ee8bef979e505288f8fb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp gte reg 1 0x00005000 ]
[ cmp lte reg 1 0x00005a00 ]
[ immediate reg 1 0x0203a8c0 ]
[ nat dnat ip addr_min reg 1 ]
# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ range neq reg 1 0x00005000 0x00005a00 ]
[ immediate reg 1 0x0203a8c0 ]
[ nat dnat ip addr_min reg 1 ]
# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2
__set%d test-ip4 3
__set%d test-ip4 0
element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end]
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d ]
[ immediate reg 1 0x0203a8c0 ]
[ nat dnat ip addr_min reg 1 ]
# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2
__set%d test-ip4 3
__set%d test-ip4 0
element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end]
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 1 0x0203a8c0 ]
[ nat dnat ip addr_min reg 1 ]
# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ range neq reg 1 0x00001700 0x00002200 ]
[ immediate reg 1 0x0203a8c0 ]
[ nat dnat ip addr_min reg 1 ]
# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080
ip test-ip4 prerouting
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005100 ]
[ immediate reg 1 0x0203a8c0 ]
[ immediate reg 2 0x0000901f ]
[ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
# dnat to ct mark map { 0x00000014 : 1.2.3.4}
__map%d test-ip4 b
__map%d test-ip4 0
element 00000014 : 04030201 0 [end]
ip test-ip4 prerouting
[ ct load mark => reg 1 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 ]
# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
__map%d test-ip4 b
__map%d test-ip4 0
element 00000014 01010101 : 04030201 0 [end]
ip test-ip4 output
[ ct load mark => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 ]
# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 }
__map%d test-ip4 b size 1
__map%d test-ip4 0
element 0201a8c0 00005000 : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end]
ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 }
__map%d test-ip4 b size 1
__map%d test-ip4 0
element 0201a8c0 00005000 : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end]
ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 }
__map%d test-ip4 b size 1
__map%d test-ip4 0
element 0201a8c0 00005000 : 020a8d0a 0000b822 020a8d0a 00002723 0 [end]
ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999
ip
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005100 ]
[ immediate reg 1 0x0203a8c0 ]
[ immediate reg 2 0x0000901f ]
[ immediate reg 3 0x00002723 ]
[ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ]
# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080
ip
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005100 ]
[ immediate reg 1 0x0203a8c0 ]
[ immediate reg 2 0x0403a8c0 ]
[ immediate reg 3 0x0000901f ]
[ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ]
# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999
ip
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005100 ]
[ immediate reg 1 0x0203a8c0 ]
[ immediate reg 2 0x0403a8c0 ]
[ immediate reg 3 0x0000901f ]
[ immediate reg 4 0x00002723 ]
[ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
__map%d test-ip4 b size 2
__map%d test-ip4 0
element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end]
ip
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 proto_min reg 9 ]
|
