Nftables map expects IPv6 address, mapping expression has type integer

Question

I need to change the destination address of an IPv6 packet depending on the payload of that packet.

I'm using a raw payload expression to extract the encapsulated IPv6 address inside that packet and want to use a map to determine the new destination address the outer packet.

The following minimized version of my nftables.conf fails to load:

table ip6 test {
    map iptoip {
        type ipv6_addr : ipv6_addr
    }
    chain foo {
        type filter hook postrouting priority srcnat; policy accept;
        #...
        ip6 daddr set @th,384,128 map @iptoip
    }
}

Trying to load this config with nft -f minimized.conf fails with the following error:

minimized.conf:8:39-45: Error: datatype mismatch, map expects IPv6 address, mapping expression has type integer
        ip6 daddr set @th,384,128 map @iptoip
                      ~~~~~~~~~~~     ^^^^^^^

Is it possible to convince nftables that a 128 bit integer can be used as a IPv6 address?

I may have found a workaround: First set the destination address to the output of the raw payload expression and use the map in the next statement with the temporary destination address as the key. (Loads fine, but not yet tested for functionality) — Jakob, Jan 26 '23 at 21:08

Nftables map expects IPv6 address, mapping expression has type integer

0 Answers0