netfilter buglog - Feb 2020 - [Bug 1410] New: STATELESS, rules with notrack into a map

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

            Bug ID: 1410
           Summary: STATELESS, rules with notrack into a map
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: e.lohmann at mdex.de

I would like to put rules like this into a map. But there is no command (set)
to use the map in raw, like we do it in STATEFULL with dnat / snat.

nft add rule raw PREROUTING ip daddr *publicIP* counter notrack ip daddr set
*privateIP*
nft add rule raw PREROUTING ip saddr *privateIP* counter notrack ip saddr set
*publicIP*


I do this in STATEFULL with:
dnat to ip daddr map @pubip_pre
snat to ip saddr map @pubip_post


Open for any discussion and questions, thanks in forward, eike.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200227/45f20d88/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

e.lohmann at mdex.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |e.lohmann at mdex.de

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200227/b4946695/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,

I'm not sure I understand, do you mean something like this?

nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

This reads as follows: if packets come _from_ IP address 1.1.1.1, the rewrite
destination address to 2.2.2.2, and so on.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/e570d2b5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #2 from e.lohmann at mdex.de ---
Hi Pablo,

thanks for your answer. No, what I like to do in RAW is the same I do in NAT
Pre/Post.

dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }

This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite
destination address to 2.2.2.2 and so on.

snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }

This reads as follows: if packets came _from_ IP address 2.2.2.2, the rewrite
source address to 1.1.1.1 and so on.

With this mechanism we map public ip addresses to private and vice versa.
With 2 or more internet access points it's possible that traffic for an
address
comes in on point A and left the system on point B. The STATEFULL Rules on
point B are NOT working if the IP packet is e.g. TCP, ICMP and NOT new.

What I try to accomplish in raw is, that this can be done without any conntrack
state for all packtes in raw.

Right now there is no way to create a map in raw and do address rewrite.

Regards, Eike

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/2fee4172/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to e.lohmann from comment #2)
> Hi Pablo,
> 
> thanks for your answer. No, what I like to do in RAW is the same I do in
NAT
> Pre/Post.
> 
> dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
> 
> This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite
> destination address to 2.2.2.2 and so on.
This rule represents the stateless dnat that you are asking for:

nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

This reads as: set IP destination address based on the map lookup.

This maps lookup takes packets sent to IP address 1.1.1.1 and it returns
2.2.2.2, which is used to rewrite the UP destionation.
> snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> 
> This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> rewrite source address to 1.1.1.1 and so on.
nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

Similar rule as above, but "ip saddr set" is used.

[...]
> Right now there is no way to create a map in raw and do address rewrite.
Did you give a try to the examples above?

Thank you.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/76086a45/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #3)
> (In reply to e.lohmann from comment #2)
> > Hi Pablo,
> > 
> > thanks for your answer. No, what I like to do in RAW is the same I do
in NAT
> > Pre/Post.
> > 
> > dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

If you would like to rewrite the destination address based in the existing
destination IP address.

Map lookups allow for any criteria, including concatenations, e.g.

nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1 .
2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack

In this example, if packets are coming from 1.1.1.1 and going to 2.2.2.2, then
the IP destination address is rewritten to 3.3.3.3

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/6becd1f9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #3)
[...]
> > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> > 
> > This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> > rewrite source address to 1.1.1.1 and so on.
> 
> nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
> 1.1.1.2 : 2.2.2.3 } notrack
Assuming the legacy table/chains, you can use posrtouting/mangle for the
stateless dnat

nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/b94f2ba4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #5)
> (In reply to Pablo Neira Ayuso from comment #3)
> [...]
> > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> > > 
> > > This reads as follows: if packets came _from_ IP address 2.2.2.2,
the
> > > rewrite source address to 1.1.1.1 and so on.
> > 
> > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 :
2.2.2.2,
> > 1.1.1.2 : 2.2.2.3 } notrack
> 
> Assuming the legacy table/chains, you can use posrtouting/mangle for the
> stateless dnat 
You will still still to disable conntrack from PREROUTING for stateless dnat,
so this would be:

nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack

The rule above disables conntrack for traffic coming from 1.1.1.1 and 1.1.1.2,
then:

nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 }

This rule performs the stateless snat.

I can place these examples in the wiki if you like.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/bf2eb61e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #6)
> (In reply to Pablo Neira Ayuso from comment #5)
> > (In reply to Pablo Neira Ayuso from comment #3)
> > [...]
> > > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2
}
> > > > 
> > > > This reads as follows: if packets came _from_ IP address
2.2.2.2, the
> > > > rewrite source address to 1.1.1.1 and so on.
> > > 
> > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 :
2.2.2.2,
> > > 1.1.1.2 : 2.2.2.3 } notrack
> > 
> > Assuming the legacy table/chains, you can use posrtouting/mangle for
the
> > stateless dnat 
> 
> You will still still to disable conntrack from PREROUTING for stateless
> dnat, so this would be:
This example is actually stateless snat, sorry for the typo.
> nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack
> 
> The rule above disables conntrack for traffic coming from 1.1.1.1 and
> 1.1.1.2, then:
> 
> nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 :
> 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
> 
> This rule performs the stateless snat.
> 
> I can place these examples in the wiki if you like.
-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/b099541c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1410

--- Comment #8 from e.lohmann at mdex.de ---
Hi Pablo,
both rules are accepted by nft, and I think it will do the job.

nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
nft add rule raw PREROUTING ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1,
2.2.2.3 : 1.1.1.2 } notrack

table ip raw {
    chain PREROUTING {
        type filter hook prerouting priority -300; policy accept;
        ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
notrack
        ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
notrack
    }
}
> nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1
. 2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack
Nice possibility to do a rewrite on saddr and daddr inside a map!


The stateless snat example in mangle POSTROUTING is also a good idea, thank you
for that!
Yes please put this into the Wiki, it will help, to understand what is possible
with nft.

Is it also possible to add a network or range into a map and do a saddr/daddr
rewrite? Like it was possible with netmap in iptables?

Regards, Eike

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200417/75a71aa3/attachment.html>