1

I'm currently in the process of migrating a firehol based router firewall to nftables. In general, there are no issues on the functional level, however, as I like to summarize repetitive sections with maps and sets as much as possible, I'm struggling to get counters added in the same "pass". Lets take for example these dnat rules

table t1 { chain c1 { type nat hook prerouting priority dstnat; # compact form (works) dnat to ip daddr map { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } # syntactically correct, but counts all dnated traffic counter dnat to daddr map { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } # Does not work (why?) ip daddr dnat to map { 192.168.22.22 : 86.12.22.22, 192.168.22.23 : 86.12.22.23 } # long form (with counter, works) ip daddr 86.12.22.22 counter dnat to 192.168.22.22 } }

Do you know a way of somehow in-cooperate counters in a map-based rule?

Improve this question

1 Answer 1

Reset to default
0

Ok, I found the answer myself. It is possible using named maps:

table t1 { map one2one_dnat { type ipv4_addr : ipv4_addr flags interval counter comment "1-1 dnat" elements = { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } } chain c1 { type nat hook prerouting priority dstnat; dnat to ip daddr map @one2one_dnat } }

Since 1.0.0 it should be possible to use "stateful expressions in maps" - however I found no way of getting this feature to work...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.