Debian Patches

Status for nftables/1.0.9-2

Patch Description Author Forwarded Bugs Origin Last update
variables-in-map-statements-fix.patch add support for variables in map expressions It is possible to use a variable to initialize a map, which is then used
in a map statement:
.
define dst_map = { ::1234 : 5678 }
.
table ip6 nat {
map dst_map {
typeof ip6 daddr : tcp dport;
elements = $dst_map
}
chain prerouting {
ip6 nexthdr tcp redirect to ip6 daddr map @dst_map
}
}
.
However, if one tries to use the variable directly in the statement:
.
define dst_map = { ::1234 : 5678 }
.
table ip6 nat {
chain prerouting {
ip6 nexthdr tcp redirect to ip6 daddr map $dst_map
}
}
.
nft rejects it:
.
/space/azazel/tmp/ruleset.1067161.nft:5:47-54: Error: invalid mapping expression variable
ip6 nexthdr tcp redirect to ip6 daddr map $dst_map
~~~~~~~~~ ^^^^^^^^
.
It also rejects variables in stateful object statements:
.
define quota_map = { 192.168.10.123 : "user123", 192.168.10.124 : "user124" }
.
table ip nat {
quota user123 { over 20 mbytes }
quota user124 { over 20 mbytes }
chain prerouting {
quota name ip saddr map $quota_map
}
}
.
thus:
.
/space/azazel/tmp/ruleset.1067161.nft:15:29-38: Error: invalid mapping expression variable
quota name ip saddr map $quota_map
~~~~~~~~ ^^^^^^^^^^
Jeremy Sowden <azazel@debian.org> yes debian 2024-05-23

All known versions for source package 'nftables'

Links