Hi, in kubernetes there is a feature called HostPorts for Pods, that basically it is just implementing DNAT from the current host HostIP:Protocol:Port to one Container IP and Port If I understand correctly the documentation and following this stackoverflow answer https://unix.stackexchange.com/questions/745265/nftables-dnat-with-source-address-restriction-and-just-one-map, I can implement this with just one map, that should be something like this for IPv4 and IPv6 > "ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service" > "ipv6_addr . inet_proto . inet_service : ipv6_addr . inet_service" In my prototype I can create the maps correctly and add elements to it so I think that part is ok > nft add map inet cni-kindnet hostport-map-v4 { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service \; flags interval \; } The problem comes when I try to set up the rule to use the map, this is the rule I'm using but it fails to be inserted, there is also no clear message on the output, it just fails silently with an exit code 1. > nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 I also tried without success > inet cni-kindnet prerouting dnat to ip daddr . meta l4proto . th dport map @hostport-map-v4 See execution with debug=all attached My system info is nft -V nftables v1.0.6 (Lester Gooch #5) cli: editline json: yes minigmp: no libxtables: yes uname -a Linux dra-worker2 6.10.11-1rodete2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.10.11-1rodete2 (2024-10-16) x86_64 GNU/Linux
nft --debug=all add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 Entering state 0 Stack now 0 Reducing stack by rule 1 (line 930): -> $$ = nterm input (: ) Entering state 1 Stack now 0 1 Reading a token --accepting rule at line 347 ("add") Next token is token "add" (: ) Shifting token "add" (: ) Entering state 20 Stack now 0 1 20 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 319 ("rule") Next token is token "rule" (: ) Shifting token "rule" (: ) Entering state 13 Stack now 0 1 20 13 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 344 ("inet") Next token is token "inet" (: ) Shifting token "inet" (: ) Entering state 18 Stack now 0 1 20 13 18 Reducing stack by rule 398 (line 2613): $1 = token "inet" (: ) -> $$ = nterm family_spec_explicit (: ) Entering state 49 Stack now 0 1 20 13 49 Reducing stack by rule 395 (line 2608): $1 = nterm family_spec_explicit (: ) -> $$ = nterm family_spec (: ) Entering state 48 Stack now 0 1 20 13 48 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 860 ("cni-kindnet") Next token is token "string" (: ) Shifting token "string" (: ) Entering state 55 Stack now 0 1 20 13 48 55 Reducing stack by rule 389 (line 2584): $1 = token "string" (: ) -> $$ = nterm identifier (: ) Entering state 280 Stack now 0 1 20 13 48 280 Reducing stack by rule 402 (line 2619): $1 = nterm family_spec (: ) $2 = nterm identifier (: ) -> $$ = nterm table_spec (: ) Entering state 50 Stack now 0 1 20 13 50 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 860 ("prerouting") Next token is token "string" (: ) Shifting token "string" (: ) Entering state 55 Stack now 0 1 20 13 50 55 Reducing stack by rule 389 (line 2584): $1 = token "string" (: ) -> $$ = nterm identifier (: ) Entering state 281 Stack now 0 1 20 13 50 281 Reducing stack by rule 404 (line 2637): $1 = nterm table_spec (: ) $2 = nterm identifier (: ) -> $$ = nterm chain_spec (: ) Entering state 51 Stack now 0 1 20 13 51 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 449 ("dnat") Next token is token "dnat" (: ) Reducing stack by rule 419 (line 2757): $1 = nterm chain_spec (: ) -> $$ = nterm rule_position (: ) Entering state 63 Stack now 0 1 20 13 63 Next token is token "dnat" (: ) Shifting token "dnat" (: ) Entering state 311 Stack now 0 1 20 13 63 311 Reducing stack by rule 547 (line 3457): $1 = token "dnat" (: ) -> $$ = nterm nat_stmt_alloc (: ) Entering state 340 Stack now 0 1 20 13 63 340 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 342 ("to") Next token is token "to" (: ) Shifting token "to" (: ) Entering state 810 Stack now 0 1 20 13 63 340 810 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 494 ("ip") Next token is token "ip" (: ) Shifting token "ip" (: ) Entering state 1163 Stack now 0 1 20 13 63 340 810 1163 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 470 ("daddr") Next token is token "daddr" (: ) Shifting token "daddr" (: ) Entering state 539 Stack now 0 1 20 13 63 340 810 1163 539 Reducing stack by rule 1065 (line 5430): $1 = token "daddr" (: ) -> $$ = nterm ip_hdr_field (: ) Entering state 551 Stack now 0 1 20 13 63 340 810 1163 551 Reducing stack by rule 24 (line 965): -> $$ = nterm close_scope_ip (: ) Entering state 1045 Stack now 0 1 20 13 63 340 810 1163 551 1045 Reducing stack by rule 1051 (line 5400): $1 = token "ip" (: ) $2 = nterm ip_hdr_field (: ) $3 = nterm close_scope_ip (: ) -> $$ = nterm ip_hdr_expr (: ) Entering state 232 Stack now 0 1 20 13 63 340 810 232 Reducing stack by rule 1012 (line 5318): $1 = nterm ip_hdr_expr (: ) -> $$ = nterm payload_expr (: ) Entering state 856 Stack now 0 1 20 13 63 340 810 856 Reducing stack by rule 579 (line 3606): $1 = nterm payload_expr (: ) -> $$ = nterm primary_stmt_expr (: ) Entering state 828 Stack now 0 1 20 13 63 340 810 828 Reducing stack by rule 584 (line 3613): $1 = nterm primary_stmt_expr (: ) -> $$ = nterm shift_stmt_expr (: ) Entering state 829 Stack now 0 1 20 13 63 340 810 829 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 267 (".") Next token is token "." (: ) Reducing stack by rule 587 (line 3624): $1 = nterm shift_stmt_expr (: ) -> $$ = nterm and_stmt_expr (: ) Entering state 830 Stack now 0 1 20 13 63 340 810 830 Next token is token "." (: ) Reducing stack by rule 589 (line 3631): $1 = nterm and_stmt_expr (: ) -> $$ = nterm exclusive_or_stmt_expr (: ) Entering state 831 Stack now 0 1 20 13 63 340 810 831 Next token is token "." (: ) Reducing stack by rule 591 (line 3638): $1 = nterm exclusive_or_stmt_expr (: ) -> $$ = nterm inclusive_or_stmt_expr (: ) Entering state 832 Stack now 0 1 20 13 63 340 810 832 Next token is token "." (: ) Reducing stack by rule 593 (line 3645): $1 = nterm inclusive_or_stmt_expr (: ) -> $$ = nterm basic_stmt_expr (: ) Entering state 833 Stack now 0 1 20 13 63 340 810 833 Next token is token "." (: ) Reducing stack by rule 594 (line 3648): $1 = nterm basic_stmt_expr (: ) -> $$ = nterm concat_stmt_expr (: ) Entering state 834 Stack now 0 1 20 13 63 340 810 834 Next token is token "." (: ) Shifting token "." (: ) Entering state 1260 Stack now 0 1 20 13 63 340 810 834 1260 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 494 ("ip") Next token is token "ip" (: ) Shifting token "ip" (: ) Entering state 1163 Stack now 0 1 20 13 63 340 810 834 1260 1163 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 512 ("protocol") Next token is token "protocol" (: ) Shifting token "protocol" (: ) Entering state 548 Stack now 0 1 20 13 63 340 810 834 1260 1163 548 Reducing stack by rule 1062 (line 5427): $1 = token "protocol" (: ) -> $$ = nterm ip_hdr_field (: ) Entering state 551 Stack now 0 1 20 13 63 340 810 834 1260 1163 551 Reducing stack by rule 24 (line 965): -> $$ = nterm close_scope_ip (: ) Entering state 1045 Stack now 0 1 20 13 63 340 810 834 1260 1163 551 1045 Reducing stack by rule 1051 (line 5400): $1 = token "ip" (: ) $2 = nterm ip_hdr_field (: ) $3 = nterm close_scope_ip (: ) -> $$ = nterm ip_hdr_expr (: ) Entering state 232 Stack now 0 1 20 13 63 340 810 834 1260 232 Reducing stack by rule 1012 (line 5318): $1 = nterm ip_hdr_expr (: ) -> $$ = nterm payload_expr (: ) Entering state 856 Stack now 0 1 20 13 63 340 810 834 1260 856 Reducing stack by rule 579 (line 3606): $1 = nterm payload_expr (: ) -> $$ = nterm primary_stmt_expr (: ) Entering state 1543 Stack now 0 1 20 13 63 340 810 834 1260 1543 Reducing stack by rule 595 (line 3649): $1 = nterm concat_stmt_expr (: ) $2 = token "." (: ) $3 = nterm primary_stmt_expr (: ) -> $$ = nterm concat_stmt_expr (: ) Entering state 834 Stack now 0 1 20 13 63 340 810 834 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 267 (".") Next token is token "." (: ) Shifting token "." (: ) Entering state 1260 Stack now 0 1 20 13 63 340 810 834 1260 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 463 ("th") Next token is token "th" (: ) Shifting token "th" (: ) Entering state 154 Stack now 0 1 20 13 63 340 810 834 1260 154 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 621 ("dport") Next token is token "dport" (: ) Shifting token "dport" (: ) Entering state 518 Stack now 0 1 20 13 63 340 810 834 1260 154 518 Reducing stack by rule 1233 (line 5815): $1 = token "dport" (: ) -> $$ = nterm th_hdr_field (: ) Entering state 519 Stack now 0 1 20 13 63 340 810 834 1260 154 519 Reducing stack by rule 52 (line 993): -> $$ = nterm close_scope_th (: ) Entering state 1030 Stack now 0 1 20 13 63 340 810 834 1260 154 519 1030 Reducing stack by rule 1231 (line 5806): $1 = token "th" (: ) $2 = nterm th_hdr_field (: ) $3 = nterm close_scope_th (: ) -> $$ = nterm th_hdr_expr (: ) Entering state 245 Stack now 0 1 20 13 63 340 810 834 1260 245 Reducing stack by rule 1025 (line 5331): $1 = nterm th_hdr_expr (: ) -> $$ = nterm payload_expr (: ) Entering state 856 Stack now 0 1 20 13 63 340 810 834 1260 856 Reducing stack by rule 579 (line 3606): $1 = nterm payload_expr (: ) -> $$ = nterm primary_stmt_expr (: ) Entering state 1543 Stack now 0 1 20 13 63 340 810 834 1260 1543 Reducing stack by rule 595 (line 3649): $1 = nterm concat_stmt_expr (: ) $2 = token "." (: ) $3 = nterm primary_stmt_expr (: ) -> $$ = nterm concat_stmt_expr (: ) Entering state 834 Stack now 0 1 20 13 63 340 810 834 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 322 ("map") Next token is token "map" (: ) Shifting token "map" (: ) Entering state 1261 Stack now 0 1 20 13 63 340 810 834 1261 Reading a token --accepting rule at line 875 (" ") --accepting rule at line 291 ("@") Next token is token "@" (: ) Shifting token "@" (: ) Entering state 887 Stack now 0 1 20 13 63 340 810 834 1261 887 Reading a token --accepting rule at line 860 ("hostport-map-v4") Next token is token "string" (: ) Shifting token "string" (: ) Entering state 55 Stack now 0 1 20 13 63 340 810 834 1261 887 55 Reducing stack by rule 389 (line 2584): $1 = token "string" (: ) -> $$ = nterm identifier (: ) Entering state 1282 Stack now 0 1 20 13 63 340 810 834 1261 887 1282 Reducing stack by rule 9 (line 950): -> $$ = nterm close_scope_at (: ) Entering state 1561 Stack now 0 1 20 13 63 340 810 834 1261 887 1282 1561 Reducing stack by rule 693 (line 4084): $1 = token "@" (: ) $2 = nterm identifier (: ) $3 = nterm close_scope_at (: ) -> $$ = nterm set_ref_symbol_expr (: ) Entering state 890 Stack now 0 1 20 13 63 340 810 834 1261 890 Reducing stack by rule 691 (line 4080): $1 = nterm set_ref_symbol_expr (: ) -> $$ = nterm set_ref_expr (: ) Entering state 1545 Stack now 0 1 20 13 63 340 810 834 1261 1545 Reducing stack by rule 597 (line 3661): $1 = nterm set_ref_expr (: ) -> $$ = nterm map_stmt_expr_set (: ) Entering state 1544 Stack now 0 1 20 13 63 340 810 834 1261 1544 Reducing stack by rule 598 (line 3664): $1 = nterm concat_stmt_expr (: ) $2 = token "map" (: ) $3 = nterm map_stmt_expr_set (: ) -> $$ = nterm map_stmt_expr (: ) Entering state 835 Stack now 0 1 20 13 63 340 810 835 Reducing stack by rule 604 (line 3687): $1 = nterm map_stmt_expr (: ) -> $$ = nterm stmt_expr (: ) Entering state 1240 Stack now 0 1 20 13 63 340 810 1240 Reading a token --accepting rule at line 869 (" ") Next token is token "newline" (: ) Reducing stack by rule 608 (line 3696): $1 = token "to" (: ) $2 = nterm stmt_expr (: ) -> $$ = nterm nat_stmt_args (: ) Entering state 840 Stack now 0 1 20 13 63 340 840 Next token is token "newline" (: ) Reducing stack by rule 545 (line 3453): $1 = nterm nat_stmt_alloc (: ) $2 = nterm nat_stmt_args (: ) -> $$ = nterm nat_stmt (: ) Entering state 339 Stack now 0 1 20 13 63 339 Reducing stack by rule 36 (line 977): -> $$ = nterm close_scope_nat (: ) Entering state 807 Stack now 0 1 20 13 63 339 807 Reducing stack by rule 446 (line 2875): $1 = nterm nat_stmt (: ) $2 = nterm close_scope_nat (: ) -> $$ = nterm stmt (: ) Entering state 324 Stack now 0 1 20 13 63 324 Reducing stack by rule 430 (line 2835): $1 = nterm stmt (: ) -> $$ = nterm stmt_list (: ) Entering state 322 Stack now 0 1 20 13 63 322 Next token is token "newline" (: ) Reducing stack by rule 429 (line 2823): $1 = nterm stmt_list (: ) -> $$ = nterm rule_alloc (: ) Entering state 321 Stack now 0 1 20 13 63 321 Next token is token "newline" (: ) Reducing stack by rule 427 (line 2813): $1 = nterm rule_alloc (: ) -> $$ = nterm rule (: ) Entering state 386 Stack now 0 1 20 13 63 386 Reducing stack by rule 86 (line 1114): $1 = token "rule" (: ) $2 = nterm rule_position (: ) $3 = nterm rule (: ) -> $$ = nterm add_cmd (: ) Entering state 70 Stack now 0 1 20 70 Reducing stack by rule 68 (line 1075): $1 = token "add" (: ) $2 = nterm add_cmd (: ) -> $$ = nterm base_cmd (: ) Entering state 46 Stack now 0 1 46 Next token is token "newline" (: ) Shifting token "newline" (: ) Entering state 4 Stack now 0 1 46 4 Reducing stack by rule 3 (line 940): $1 = token "newline" (: ) -> $$ = nterm stmt_separator (: ) Entering state 279 Stack now 0 1 46 279 Reducing stack by rule 65 (line 1053): $1 = nterm base_cmd (: ) $2 = nterm stmt_separator (: ) -> $$ = nterm line (: ) Entering state 45 Stack now 0 1 45 Reducing stack by rule 2 (line 931): $1 = nterm input (: ) $2 = nterm line (: ) -> $$ = nterm input (: ) Entering state 1 Stack now 0 1 Reading a token --(end of buffer or a NUL) --EOF (start condition 0) Now at end of input. Shifting token "end of file" (: ) Entering state 2 Stack now 0 1 2 Stack now 0 1 2 Cleanup: popping token "end of file" (: ) Cleanup: popping nterm input (: ) ---------------- ------------------ | 0000000020 | | message length | | 02576 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ ---------------- ------------------ | 0000000020 | | message length | | 02561 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ ---------------- ------------------ | 0000000020 | | message length | | 02564 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ ---------------- ------------------ | 0000000020 | | message length | | 02570 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ ---------------- ------------------ | 0000000020 | | message length | | 02583 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ ---------------- ------------------ | 0000000028 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 02 00 00 00 | | extra header | |00008|--|00001| |len |flags| type| | 6e 61 74 00 | | data | n a t ---------------- ------------------ ---------------- ------------------ | 0000000032 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 02 00 00 00 | | extra header | |00011|--|00001| |len |flags| type| | 6d 61 6e 67 | | data | m a n g | 6c 65 00 00 | | data | l e ---------------- ------------------ ---------------- ------------------ | 0000000032 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 02 00 00 00 | | extra header | |00011|--|00001| |len |flags| type| | 66 69 6c 74 | | data | f i l t | 65 72 00 00 | | data | e r ---------------- ------------------ ---------------- ------------------ | 0000000032 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 0a 00 00 00 | | extra header | |00011|--|00001| |len |flags| type| | 6d 61 6e 67 | | data | m a n g | 6c 65 00 00 | | data | l e ---------------- ------------------ ---------------- ------------------ | 0000000028 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 0a 00 00 00 | | extra header | |00008|--|00001| |len |flags| type| | 6e 61 74 00 | | data | n a t ---------------- ------------------ ---------------- ------------------ | 0000000032 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 0a 00 00 00 | | extra header | |00011|--|00001| |len |flags| type| | 66 69 6c 74 | | data | f i l t | 65 72 00 00 | | data | e r ---------------- ------------------ ---------------- ------------------ | 0000000040 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 01 00 00 00 | | extra header | |00019|--|00001| |len |flags| type| | 6b 69 6e 64 | | data | k i n d | 6e 65 74 2d | | data | n e t - | 69 70 6d 61 | | data | i p m a | 73 71 00 00 | | data | s q ---------------- ------------------ ---------------- ------------------ | 0000000052 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 01 00 00 00 | | extra header | |00029|--|00001| |len |flags| type| | 6b 69 6e 64 | | data | k i n d | 6e 65 74 2d | | data | n e t - | 6e 65 74 77 | | data | n e t w | 6f 72 6b 2d | | data | o r k - | 70 6f 6c 69 | | data | p o l i | 63 69 65 73 | | data | c i e s | 00 38 5c 10 | | data | 8 \ ---------------- ------------------ ---------------- ------------------ | 0000000036 | | message length | | 02579 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 01 00 00 00 | | extra header | |00016|--|00001| |len |flags| type| | 63 6e 69 2d | | data | c n i - | 6b 69 6e 64 | | data | k i n d | 6e 65 74 00 | | data | n e t ---------------- ------------------ ---------------- ------------------ | 0000000020 | | message length | | 02576 | R--- | | type | flags | | 0000000000 | | sequence number| | 0000000000 | | port ID | ---------------- ------------------ | 00 00 00 00 | | extra header | ---------------- ------------------ Evaluate add add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ update link layer protocol context: link layer : inet <- network layer : none transport layer : none payload data : none Evaluate nat add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 ^^^^ dnat to ip daddr . ip protocol . th dport map hostport-map-v4 Evaluate symbol add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 ^^^^^^^^^^^^^^^^ hostport-map-v4 Evaluate set reference add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 ^^^^^^^^^^^^^^^^ @hostport-map-v4