Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote: > in kubernetes there is a feature called HostPorts for Pods, that > basically it is just implementing DNAT from the current host > HostIP:Protocol:Port to one Container IP and Port > > If I understand correctly the documentation and following this > stackoverflow answer > https://unix.stackexchange.com/questions/745265/nftables-dnat-with-source-address-restriction-and-just-one-map, > I can implement this with just one map, that should be something like > this for IPv4 and IPv6 > > > "ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service" > > "ipv6_addr . inet_proto . inet_service : ipv6_addr . inet_service" > > In my prototype I can create the maps correctly and add elements to it > so I think that part is ok > > > nft add map inet cni-kindnet hostport-map-v4 { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service \; flags interval \; } > > The problem comes when I try to set up the rule to use the map, this > is the rule I'm using but it fails to be inserted, there is also no > clear message on the output, it just fails silently with an exit code > 1. > > > nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 > > I also tried without success > > > inet cni-kindnet prerouting dnat to ip daddr . meta l4proto . th > dport map @hostport-map-v4 > > See execution with debug=all attached > > My system info is > > nft -V > nftables v1.0.6 (Lester Gooch #5) > cli: editline > json: yes > minigmp: no > libxtables: yes Strange, this version does work for me. table inet cni-kindnet { map hostport-map-v4 { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service flags interval } chain prerouting { type nat hook prerouting priority dstnat; policy accept; dnat ip to ip daddr . ip protocol . th dport map @hostport-map-v4 } }