@@ -2061,6 +2061,7 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
mappings->set_flags |= NFT_SET_MAP;
switch (map->mappings->etype) {
+ case EXPR_VARIABLE:
case EXPR_SET:
if (ctx->ectx.key && ctx->ectx.key->etype == EXPR_CONCAT) {
key = expr_clone(ctx->ectx.key);
@@ -4576,6 +4577,7 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt)
mappings->set_flags |= NFT_SET_OBJECT;
switch (map->mappings->etype) {
+ case EXPR_VARIABLE:
case EXPR_SET:
key = constant_expr_alloc(&stmt->location,
ctx->ectx.dtype,
new file mode 100755
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# This is the test-case:
+# * creating valid named objects and using map variables in statements
+
+RULESET='
+define counter_map = { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123" }
+define quota_map = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
+
+table inet x {
+ counter user123 {
+ packets 12 bytes 1433
+ }
+ counter user321 {
+ packets 12 bytes 1433
+ }
+ quota user123 {
+ over 2000 bytes
+ }
+ quota user124 {
+ over 2000 bytes
+ }
+ chain y {
+ type filter hook input priority 0; policy accept;
+ counter name ip saddr map $counter_map
+ quota name ip saddr map $quota_map drop
+ }
+}'
+
+set -e
+$NFT -f - <<< "$RULESET"
new file mode 100755
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Variable containing anonymous map can be added to a snat rule
+
+set -e
+
+RULESET='
+define m = {1.1.1.1 : 2.2.2.2}
+table nat {
+ chain postrouting {
+ snat ip saddr map $m
+ }
+}
+'
+
+$NFT -f - <<< "$RULESET"
new file mode 100644
@@ -0,0 +1,147 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "x",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "x",
+ "name": "y",
+ "handle": 0,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "packets": 12,
+ "bytes": 1433
+ }
+ },
+ {
+ "counter": {
+ "family": "inet",
+ "name": "user321",
+ "table": "x",
+ "handle": 0,
+ "packets": 12,
+ "bytes": 1433
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user123",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "quota": {
+ "family": "inet",
+ "name": "user124",
+ "table": "x",
+ "handle": 0,
+ "bytes": 2000,
+ "used": 0,
+ "inv": true
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "counter": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ "user123"
+ ],
+ [
+ "2.2.2.2",
+ "user123"
+ ],
+ [
+ "192.168.2.2",
+ "user123"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "x",
+ "chain": "y",
+ "handle": 0,
+ "expr": [
+ {
+ "quota": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "192.168.2.2",
+ "user124"
+ ],
+ [
+ "192.168.2.3",
+ "user124"
+ ]
+ ]
+ }
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ ]
+}
new file mode 100644
@@ -0,0 +1,23 @@
+table inet x {
+ counter user123 {
+ packets 12 bytes 1433
+ }
+
+ counter user321 {
+ packets 12 bytes 1433
+ }
+
+ quota user123 {
+ over 2000 bytes
+ }
+
+ quota user124 {
+ over 2000 bytes
+ }
+
+ chain y {
+ type filter hook input priority filter; policy accept;
+ counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
+ quota name ip saddr map { 192.168.2.2 : "user124", 192.168.2.3 : "user124" } drop
+ }
+}
new file mode 100644
@@ -0,0 +1,58 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "nat",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "nat",
+ "name": "postrouting",
+ "handle": 0
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "nat",
+ "chain": "postrouting",
+ "handle": 0,
+ "expr": [
+ {
+ "snat": {
+ "addr": {
+ "map": {
+ "key": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ "2.2.2.2"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
new file mode 100644
@@ -0,0 +1,5 @@
+table ip nat {
+ chain postrouting {
+ snat to ip saddr map { 1.1.1.1 : 2.2.2.2 }
+ }
+}
It is possible to use a variable to initialize a map, which is then used in a map statement: define dst_map = { ::1234 : 5678 } table ip6 nat { map dst_map { typeof ip6 daddr : tcp dport; elements = $dst_map } chain prerouting { ip6 nexthdr tcp redirect to ip6 daddr map @dst_map } } However, if one tries to use the variable directly in the statement: define dst_map = { ::1234 : 5678 } table ip6 nat { chain prerouting { ip6 nexthdr tcp redirect to ip6 daddr map $dst_map } } nft rejects it: /space/azazel/tmp/ruleset.1067161.nft:5:47-54: Error: invalid mapping expression variable ip6 nexthdr tcp redirect to ip6 daddr map $dst_map ~~~~~~~~~ ^^^^^^^^ It also rejects variables in stateful object statements: define quota_map = { 192.168.10.123 : "user123", 192.168.10.124 : "user124" } table ip nat { quota user123 { over 20 mbytes } quota user124 { over 20 mbytes } chain prerouting { quota name ip saddr map $quota_map } } thus: /space/azazel/tmp/ruleset.1067161.nft:15:29-38: Error: invalid mapping expression variable quota name ip saddr map $quota_map ~~~~~~~~ ^^^^^^^^^^ Extend `expr_evaluate_map` to allow them. Add test-cases. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067161 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> --- src/evaluate.c | 2 + .../shell/testcases/maps/0024named_objects_1 | 31 ++++ .../shell/testcases/maps/anonymous_snat_map_1 | 16 ++ .../maps/dumps/0024named_objects_1.json-nft | 147 ++++++++++++++++++ .../maps/dumps/0024named_objects_1.nft | 23 +++ .../maps/dumps/anonymous_snat_map_1.json-nft | 58 +++++++ .../maps/dumps/anonymous_snat_map_1.nft | 5 + 7 files changed, 282 insertions(+) create mode 100755 tests/shell/testcases/maps/0024named_objects_1 create mode 100755 tests/shell/testcases/maps/anonymous_snat_map_1 create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_1.json-nft create mode 100644 tests/shell/testcases/maps/dumps/0024named_objects_1.nft create mode 100644 tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft create mode 100644 tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft