1

When creating a dnat rule, you can specify the following command:

nft 'add rule ip  twilight prerouting ip  daddr 1.2.3.0/24 dnat ip  prefix to ip  daddr map { 1.2.3.0/24 : 2.3.4.0/24 }'

And then get dnat that maps addresses like 1.2.3.4 -> 2.3.4.4. This command runs as expected with nftables v1.0.4 (Lester Gooch #3), and according to the answer here.

If I try to do the same with ipv6, using the following commands:

nft 'add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { [aa:bb:cc:dd::]/64 : [bb:cc:dd:ee::]/64 }'
nft 'add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { aa:bb:cc:dd::/64 : bb:cc:dd:ee::/64 }'
nft 'add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { "aa:bb:cc:dd::/64" : "bb:cc:dd:ee::/64" }'

Then, I get the following error messages:

Error: syntax error, unexpected newline
add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { [aa:bb:cc:dd::]/64 : [bb:cc:dd:ee::]/64 }
                                                                                                                                        ^
Error: syntax error, unexpected newline
add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { aa:bb:cc:dd::/64 : bb:cc:dd:ee::/64 }
                                                                                                                                    ^
Error: syntax error, unexpected newline
add rule ip6 twilight prerouting ip6 daddr aa:bb:cc:dd::/64 dnat ip6 prefix to ip6 daddr map { "aa:bb:cc:dd::/64" : "bb:cc:dd:ee::/64" }
                                                                                                                                        ^

Is there a way that I can make anonymous ipv6 maps in nftables?

Improve this question
0

1 Answer 1

Reset to default
1

TL;DR: You need at least nftables version >= 1.0.5.

In version 1.0.5:

      scanner: allow prefix in ip6 scope

Which matches this commit:

scanner: allow prefix in ip6 scope

'ip6 prefix' is valid syntax, so make sure scanner recognizes it also in ip6 context.

Also add test case.

[...]

diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0
index 2804a4a2..60bda401 100755
--- a/tests/shell/testcases/sets/0046netmap_0
+++ b/tests/shell/testcases/sets/0046netmap_0
@@ -8,6 +8,12 @@ EXPECTED="table ip x {
                           10.141.13.0/24 : 192.168.4.0/24 > }
             }
      }
+     table ip6 x {
+            chain y {
+                    type nat hook postrouting priority srcnat; policy accept;
+                    snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 }
+            }
+     }
 "
 
 set -e

The corresponding regression test is similar to OP's attempt. OP's syntax tested ok here with nftables 1.0.7.

Improve this answer
2
  • I didn't manage to use a workaround (that would use raw payload mangling: conntrack wouldn't catch the change contrary to my expectaction and only the first packet of a flow was NAT-ed in the attempt). Commented Mar 31, 2023 at 17:20
  • Tested and working against nftables 1.0.7, thank you very much! Commented Mar 31, 2023 at 23:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.