Re: nftables portmap map

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote:
> in kubernetes there is a feature called HostPorts for Pods, that
> basically it is just implementing DNAT from the current host
> HostIP:Protocol:Port to one Container IP and Port
> 
> If I understand correctly the documentation and following this
> stackoverflow answer
> https://unix.stackexchange.com/questions/745265/nftables-dnat-with-source-address-restriction-and-just-one-map,
> I can implement this with just one map, that should be something like
> this for IPv4 and IPv6
> 
> > "ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service"
> > "ipv6_addr . inet_proto . inet_service : ipv6_addr . inet_service"
> 
> In my prototype I can create the maps correctly and add elements to it
> so I think that part is ok
> 
> > nft add map inet cni-kindnet hostport-map-v4 { type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service \; flags interval \; }
> 
> The problem comes when I try to set up the rule to use the map, this
> is the rule I'm using but it fails to be inserted, there is also no
> clear message on the output, it just fails silently with an exit code
> 1.
> 
> > nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4
> 
> I also tried without success
> 
>  > inet cni-kindnet prerouting dnat to ip daddr . meta l4proto . th
> dport map @hostport-map-v4
> 
> See execution with debug=all attached
> 
> My system info is
> 
> nft -V
> nftables v1.0.6 (Lester Gooch #5)
>   cli:          editline
>   json:         yes
>   minigmp:      no
>   libxtables:   yes

Strange, this version does work for me.

table inet cni-kindnet {
        map hostport-map-v4 {
                type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
                flags interval
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                dnat ip to ip daddr . ip protocol . th dport map @hostport-map-v4
        }
}




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux