blob: 2804d48ca406234e705355c1648f85af8d04dc9c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
#!/bin/bash
# skeleton
$NFT -f /dev/stdin <<EOF || exit 1
table ip ipfoo {
map t1 {
typeof numgen inc mod 2 : ip daddr;
}
map t2 {
typeof numgen inc mod 2 : ip daddr . tcp dport
}
map x {
type ipv4_addr : ipv4_addr
}
map y {
type ipv4_addr : ipv4_addr . inet_service
elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
}
map z {
type ipv4_addr . inet_service : ipv4_addr . inet_service
elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
meta l4proto tcp dnat ip addr . port to ip saddr map @y
meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z
dnat ip to numgen inc mod 2 map @t1
meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
}
}
EOF
# should fail: rule has no test for l4 protocol
$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1
# skeleton 6
$NFT -f /dev/stdin <<EOF || exit 1
table ip6 ip6foo {
map t1 {
typeof numgen inc mod 2 : ip6 daddr;
}
map t2 {
typeof numgen inc mod 2 : ip6 daddr . tcp dport
}
map x {
type ipv6_addr : ipv6_addr
}
map y {
type ipv6_addr : ipv6_addr . inet_service
}
map z {
type ipv6_addr . inet_service : ipv6_addr . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat to ip6 daddr map @x
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z
dnat ip6 to numgen inc mod 2 map @t1
meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
}
}
EOF
# should fail: rule has no test for l4 protocol
$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1
# skeleton inet
$NFT -f /dev/stdin <<EOF || exit 1
table inet inetfoo {
map t1v4 {
typeof numgen inc mod 2 : ip daddr
}
map t2v4 {
typeof numgen inc mod 2 : ip daddr . tcp dport;
}
map t1v6 {
typeof numgen inc mod 2 : ip6 daddr;
}
map t2v6 {
typeof numgen inc mod 2 : ip6 daddr . tcp dport
}
map x4 {
type ipv4_addr : ipv4_addr
}
map y4 {
type ipv4_addr : ipv4_addr . inet_service
}
map z4 {
type ipv4_addr . inet_service : ipv4_addr . inet_service
elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
}
map x6 {
type ipv6_addr : ipv6_addr
}
map y6 {
type ipv6_addr : ipv6_addr . inet_service
}
map z6 {
type ipv6_addr . inet_service : ipv6_addr . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta iifname != "foobar" accept
dnat ip to ip daddr map @x4
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
meta l4proto tcp dnat ip addr . port to ip saddr map @y4
meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4
dnat ip to numgen inc mod 2 map @t1v4
meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
dnat ip6 to ip6 daddr map @x6
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6
meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
dnat ip6 to numgen inc mod 2 map @t1v6
meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
}
}
EOF
# should fail: map has wrong family: 4->6
$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1
# should fail: map has wrong family: 6->4
$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1
# should fail: rule has no test for l4 protocol
$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
# should fail: rule has no test for l4 protocol, but map has inet_service
$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1
# should fail: rule has test for l4 protocol, but map has wrong family: 4->6
$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1
# should fail: rule has test for l4 protocol, but map has wrong family: 6->4
$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1
# fail: inet_service, but expect ipv4_addr
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map a {
type ipv4_addr : inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
# fail: maps to inet_service . inet_service, not addr . service
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map b {
type ipv4_addr : inet_service . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
# fail: only accept exactly two sub-expressions: 'addr . service'
$NFT -f /dev/stdin <<EOF && exit 1
table inet inetfoo {
map b {
type ipv4_addr : inet_addr . inet_service . inet_service
}
chain c {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp dnat ip to ip saddr map @a
}
}
EOF
exit 0
|
