On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote: > Package: nftables > Version: 1.0.6-2+deb12u2 > Severity: normal > > Dear Maintainer, > > The nftables config below triggers a BUG. > > $ nft -f /etc/nftables.conf > BUG: invalid mapping expression variable > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed. > Aborted > > Refactoring to using $srvaddr_map instead of having the anonymous map > inline made the bug trigger.
That assertion has since been replaced upstream by a normal
error-message:
/space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping
expression variable
ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map
$srvaddr_map
~~~~~~~~~~~~~~~~~~~~~~
^^^^^^^^^^^^
> -- Configuration Files:
> /etc/nftables.conf changed:
> flush ruleset
> define iid_mask6 = ::ffff:ffff:ffff:ffff
> define srvaddr_map = { ::8384 : 8384 }
> table inet filter {
> chain input {
> type filter hook input priority filter;
> }
> chain prerouting {
> type nat hook prerouting priority dstnat;
> ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map
> $srvaddr_map # s/ map.*/{ ::8384 : 8384 }/ works
> }
> chain forward {
> type filter hook forward priority filter;
> }
> chain output {
> type filter hook output priority filter;
> }
> }
Because of the way parsing works in nftables, one can't use a symbolic
variable in that context. This, however, will work:
define iid_mask6 = ::ffff:ffff:ffff:ffff
define srvaddr_map = { ::8384 : 8384 }
table inet filter {
map srvaddr_map {
typeof ip6 daddr : tcp dport;
elements = $srvaddr_map
}
chain prerouting {
type nat hook prerouting priority dstnat;
ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
}
}
or more concisely:
define iid_mask6 = ::ffff:ffff:ffff:ffff
table inet filter {
map srvaddr_map {
typeof ip6 daddr : tcp dport;
elements = srvaddr_map = { ::8384 : 8384 }
}
chain prerouting {
type nat hook prerouting priority dstnat;
ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
}
}
J.
signature.asc
Description: PGP signature
