Re: how to do port forwarding using nftables map

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: 神楽坂玲奈 <zh99998@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: how to do port forwarding using nftables map
Date: Mon, 21 Sep 2015 10:49:06 +0200	[thread overview]
Message-ID: <20150921084906.GA3549@salvia> (raw)
In-Reply-To: <CAP8bwDUTn=zfWNjzypzLw5a4z7earJ6Ou2Uh4JHv_Am9uu_4Lw@mail.gmail.com>

On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
> I'm doing many port forwarding service on a linux server. There will
> be many(may thousands of) port forward rule so I want to use nftables
> map to improve performance rather than just many rules.
> 
> the policy will be [protocol : port -> address : port], like [tcp 1234
> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
> protocol port 4321.
> the protocol may only tcp and udp. so it's also ok if the key can
> support only one port field. i can set maps and rules for each
> protocol.
> 
> the problem is, how to define the value "ip:port" using map?
> 
> I tried create 2 maps, using
> 
> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
> > nft add map nat forward_port {type inet_service : inet_service \;}
> 
> but then I don't know how to set dnat rule....... seems the dnat
> destnation can only accept one map value? and also i don't know how to
> set "ip:port" as one value in map.

Could you provide an example of your iptables ruleset? Thanks.

next prev parent reply	other threads:[~2015-09-21  8:49 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-21  2:09 how to do port forwarding using nftables map 神楽坂玲奈
2015-09-21  8:49 ` Pablo Neira Ayuso [this message]
2015-09-21 15:30   ` 神楽坂玲奈
2015-09-21 20:03     ` Pablo Neira Ayuso
2015-09-22  2:21       ` 神楽坂玲奈

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150921084906.GA3549@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter@vger.kernel.org \
    --cc=zh99998@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.