On Fri, Oct 09, 2015 at 11:35:32AM +0200, Arturo Borrero Gonzalez wrote:
> Hi,
>
> i'm playing with nftables maps and found some issues.
>
> First:
>
> I can add this named map in the CLI but I can't load it from a file.
> This can be reproduced with these commands:
>
> % nft flush ruleset
> % nft add table t
> % nft add map t m { type ipv4_addr : ipv4_addr ; }
> % nft add element t m {1.1.1.1: 2.2.2.2 }
> % echo "flush ruleset" > test.nft
> % nft list ruleset >> test.nft
> % nft -f test.nft
> test.nft:5:28-46: Error: mapping outside of map context
> elements = { 1.1.1.1 : 2.2.2.2}
> ^^^^^^^^^^^^^^^^^^^
Known issue, our grammar is invoking the evaluating the elements
before it has actually evaluated the declaration.
> Second:
>
> I can use ANONYMOUS maps for SNAT:
>
> % nft flush ruleset
> % nft add table nat
> % nft add chain nat postrouting
> % nft add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2}
> [OK]
>
> But I can't use NAMED maps for SNAT:
>
> % nft flush ruleset
> % nft add table nat
> % nft add map nat m { type ipv4_addr : ipv4_addr\; }
> % nft add element nat m { 1.1.1.1 : 2.2.2.2 }
> % nft add chain nat postrouting
> % nft add rule nat postrouting snat ip saddr map @m
> <cmdline>:1:1-45: Error: Could not process rule: Invalid argument
> add rule nat postrouting snat ip saddr map @m
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This seems to be triggered by the kernel (I'm running 4.1, please let
> me know if newer versions has this fixed)
Sigh, I already sent a patch for this to -stable on Sep 11th.
http://marc.info/?l=netfilter-devel&m=144197606028112&w=4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
