Maps: Difference between revisions
(add link to sets) |
(Edited for clarity, linked NAT and data types pages.) |
||
| Line 1: | Line 1: | ||
You can use an nftables map to look up a value that corresponds to the value of a defined key. Maps use the [[Sets | generic set infrastructure]] and therefore share many of the same options and semantics. | |||
= | = Anonymous maps = | ||
The following | The following rule uses a map to [[Performing_Network_Address_Translation_(NAT)|DNAT]] packets to different destination IP addresses depending on the packet's destination tcp port: | ||
<source lang="bash"> | <source lang="bash"> | ||
| Line 9: | Line 9: | ||
</source> | </source> | ||
This is | This is a very concise and efficient way to perform classical port redirection when the real servers are located behind a firewall. It can be read as it follows: | ||
* If the TCP destination port is 80, then the packet is DNAT'ed to 192.168.1.100. | * If the TCP destination port is 80, then the packet is DNAT'ed to 192.168.1.100. | ||
* If the TCP destination port is 8888, then the packet is DNAT'ed to 192.168.1.101. | * If the TCP destination port is 8888, then the packet is DNAT'ed to 192.168.1.101. | ||
You can also declare maps | = Named maps = | ||
You can also declare named maps, to which you can then add or delete elements at anytime. For example, with: | |||
<source lang="bash"> | <source lang="bash"> | ||
| Line 23: | Line 24: | ||
</source> | </source> | ||
we first define a map ''porttoip'' which looks up an IP address based on a UDP or TCP port number, and then add a couple of elements. The map itself only cares about the [[Data_types|data types]] of its keys and values. It is up to us to use meaningful values for both, and to use the map appropriately in rules. In this example we use ''porttoip'' to map tcp destination ports to source IP addresses. Then we can perform [[Performing_Network_Address_Translation_(NAT)|SNAT]] using the rule: | |||
Then | |||
<source lang="bash"> | <source lang="bash"> | ||
| Line 31: | Line 30: | ||
</source> | </source> | ||
Now outgoing packets to TCP/80 use source IP address 192.168.1.100, those to TCP/8888 are SNAT'ed to 192.168.1.101. We can easily adjust our SNAT at anytime simply by adding or deleting elements in ''porttoip''. | |||
Revision as of 00:28, 16 February 2021
You can use an nftables map to look up a value that corresponds to the value of a defined key. Maps use the generic set infrastructure and therefore share many of the same options and semantics.
Anonymous maps
The following rule uses a map to DNAT packets to different destination IP addresses depending on the packet's destination tcp port:
% nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 }
This is a very concise and efficient way to perform classical port redirection when the real servers are located behind a firewall. It can be read as it follows:
- If the TCP destination port is 80, then the packet is DNAT'ed to 192.168.1.100.
- If the TCP destination port is 8888, then the packet is DNAT'ed to 192.168.1.101.
Named maps
You can also declare named maps, to which you can then add or delete elements at anytime. For example, with:
% nft add map nat porttoip { type inet_service: ipv4_addr\; }
% nft add element nat porttoip { 80 : 192.168.1.100, 8888 : 192.168.1.101 }
we first define a map porttoip which looks up an IP address based on a UDP or TCP port number, and then add a couple of elements. The map itself only cares about the data types of its keys and values. It is up to us to use meaningful values for both, and to use the map appropriately in rules. In this example we use porttoip to map tcp destination ports to source IP addresses. Then we can perform SNAT using the rule:
% nft add rule ip nat postrouting snat tcp dport map @porttoip
Now outgoing packets to TCP/80 use source IP address 192.168.1.100, those to TCP/8888 are SNAT'ed to 192.168.1.101. We can easily adjust our SNAT at anytime simply by adding or deleting elements in porttoip.