nftables nft -f error

Asked by Karl Baum

Error summary: Can add nat map element via "sudo nft add element" command, but can not add same via "sudo nft -f" using same syntax as from "sudo nft list table ip nat -a". See details below.

sudo nft add element nat tcp_nat_map { 81 : 192.168.1.100, 8080 : 192.168.1.101 }

sudo nft list table ip nat -a

table ip nat {
        map tcp_nat_map {
                type inet_service : ipv4_addr
                elements = { 81 : 192.168.1.100, http-alt : 192.168.1.101}
        }

        map udp_nat_map {
                type inet_service : ipv4_addr
        }

        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                iif eno1 tcp dport { https, http} dnat 192.168.1.15 # handle 3
                iif eno1 tcp dport { pop3s, imaps, smtp} dnat 192.168.1.16 # handle 4
                iif eno1 dnat tcp dport map @tcp_nat_map # handle 5
                iif eno1 dnat tcp dport map @udp_nat_map # handle 6
        }

        chain postrouting {
                type nat hook postrouting priority 0; policy accept;
                oif eno1 masquerade # handle 7
        }
}

sudo nft -f nat.nft
nat.nft:11:20-39: Error: mapping outside of map context
        elements = { 81 : 192.168.1.100, http-alt : 192.168.1.101}
                   ^^^^^^^^^^^^^^^^^^^^
vim nat.nft

define if_wan = eno1

define if_lan = br0

flush ruleset

table ip nat {

 map tcp_nat_map {
        type inet_service : ipv4_addr
        elements = { 81 : 192.168.1.100, http-alt : 192.168.1.101}
 }

 map udp_nat_map {
        type inet_service : ipv4_addr;
 }

 chain prerouting {
        type nat hook prerouting priority 0;
        iif $if_wan tcp dport {80, 443 } dnat 192.168.1.15
        iif $if_wan tcp dport {25, 993,995 } dnat 192.168.1.16
        iif $if_wan dnat tcp dport map @tcp_nat_map
        iif $if_wan dnat tcp dport map @udp_nat_map
        #tcp dport 2222 dnat home_srv # ssh
        #udp dport 61001-62000 dnat home_srv # mosh
 }

 chain postrouting {
        type nat hook postrouting priority 0;
        oif $if_wan masquerade
 }

}

System info:
Description: Ubuntu 16.04.2 LTS
Release: 16.04

apt-cache policy nftables :
nftables:
  Installed: 0.5+snapshot20151106-1
  Candidate: 0.5+snapshot20151106-1
  Version table:
 *** 0.5+snapshot20151106-1 500
        500 http://au.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said :
#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.