* how to do port forwarding using nftables map
@ 2015-09-21 2:09 神楽坂玲奈
2015-09-21 8:49 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: 神楽坂玲奈 @ 2015-09-21 2:09 UTC (permalink / raw)
To: netfilter
I'm doing many port forwarding service on a linux server. There will
be many(may thousands of) port forward rule so I want to use nftables
map to improve performance rather than just many rules.
the policy will be [protocol : port -> address : port], like [tcp 1234
-> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
protocol port 4321.
the protocol may only tcp and udp. so it's also ok if the key can
support only one port field. i can set maps and rules for each
protocol.
the problem is, how to define the value "ip:port" using map?
I tried create 2 maps, using
> nft add map nat forward_address {type inet_service : ipv4_addr \;}
> nft add map nat forward_port {type inet_service : inet_service \;}
but then I don't know how to set dnat rule....... seems the dnat
destnation can only accept one map value? and also i don't know how to
set "ip:port" as one value in map.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: how to do port forwarding using nftables map
2015-09-21 2:09 how to do port forwarding using nftables map 神楽坂玲奈
@ 2015-09-21 8:49 ` Pablo Neira Ayuso
2015-09-21 15:30 ` 神楽坂玲奈
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-21 8:49 UTC (permalink / raw)
To: 神楽坂玲奈; +Cc: netfilter
On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
> I'm doing many port forwarding service on a linux server. There will
> be many(may thousands of) port forward rule so I want to use nftables
> map to improve performance rather than just many rules.
>
> the policy will be [protocol : port -> address : port], like [tcp 1234
> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
> protocol port 4321.
> the protocol may only tcp and udp. so it's also ok if the key can
> support only one port field. i can set maps and rules for each
> protocol.
>
> the problem is, how to define the value "ip:port" using map?
>
> I tried create 2 maps, using
>
> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
> > nft add map nat forward_port {type inet_service : inet_service \;}
>
> but then I don't know how to set dnat rule....... seems the dnat
> destnation can only accept one map value? and also i don't know how to
> set "ip:port" as one value in map.
Could you provide an example of your iptables ruleset? Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: how to do port forwarding using nftables map
2015-09-21 8:49 ` Pablo Neira Ayuso
@ 2015-09-21 15:30 ` 神楽坂玲奈
2015-09-21 20:03 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: 神楽坂玲奈 @ 2015-09-21 15:30 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
--to-destination 1.1.1.1:2222
iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
--to-destination 2.2.1.1:1234
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
--to-destination 1.1.1.1:1234
iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
--to-destination 8.8.8.8:53
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
--to-destination 2.2.2.21234
(many of these)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
2015-09-21 16:49 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Mon, Sep 21, 2015 at 10:09:25AM +0800, 神楽坂玲奈 wrote:
>> I'm doing many port forwarding service on a linux server. There will
>> be many(may thousands of) port forward rule so I want to use nftables
>> map to improve performance rather than just many rules.
>>
>> the policy will be [protocol : port -> address : port], like [tcp 1234
>> -> 1.1.1.1:4321], forward tcp 1234 port to address 1.1.1.1 same
>> protocol port 4321.
>> the protocol may only tcp and udp. so it's also ok if the key can
>> support only one port field. i can set maps and rules for each
>> protocol.
>>
>> the problem is, how to define the value "ip:port" using map?
>>
>> I tried create 2 maps, using
>>
>> > nft add map nat forward_address {type inet_service : ipv4_addr \;}
>> > nft add map nat forward_port {type inet_service : inet_service \;}
>>
>> but then I don't know how to set dnat rule....... seems the dnat
>> destnation can only accept one map value? and also i don't know how to
>> set "ip:port" as one value in map.
>
> Could you provide an example of your iptables ruleset? Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: how to do port forwarding using nftables map
2015-09-21 15:30 ` 神楽坂玲奈
@ 2015-09-21 20:03 ` Pablo Neira Ayuso
2015-09-22 2:21 ` 神楽坂玲奈
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-21 20:03 UTC (permalink / raw)
To: 神楽坂玲奈; +Cc: netfilter
On Mon, Sep 21, 2015 at 11:30:54PM +0800, 神楽坂玲奈 wrote:
> iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
> --to-destination 1.1.1.1:2222
> iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
> --to-destination 2.2.1.1:1234
> iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
> --to-destination 1.1.1.1:1234
> iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
> --to-destination 8.8.8.8:53
> iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
> --to-destination 2.2.2.21234
> (many of these)
nft add rule nat prerouting dnat \
tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : tcp dport map { 1000 : 1234, 1001 : 2222 }
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: how to do port forwarding using nftables map
2015-09-21 20:03 ` Pablo Neira Ayuso
@ 2015-09-22 2:21 ` 神楽坂玲奈
0 siblings, 0 replies; 5+ messages in thread
From: 神楽坂玲奈 @ 2015-09-22 2:21 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
great! it works, thanks.
2015-09-22 4:03 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Mon, Sep 21, 2015 at 11:30:54PM +0800, 神楽坂玲奈 wrote:
>> iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p tcp --dport 1001 -j DNAT
>> --to-destination 1.1.1.1:2222
>> iptables -t nat -A PREROUTING -p tcp --dport 1002 -j DNAT
>> --to-destination 2.2.1.1:1234
>> iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p udp --dport 1000 -j DNAT
>> --to-destination 1.1.1.1:1234
>> iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT
>> --to-destination 8.8.8.8:53
>> iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT
>> --to-destination 2.2.2.21234
>> (many of these)
>
> nft add rule nat prerouting dnat \
> tcp dport map { 1000 : 1.1.1.1, 2000 : 1.1.1.1 } : tcp dport map { 1000 : 1234, 1001 : 2222 }
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-22 2:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-21 2:09 how to do port forwarding using nftables map 神楽坂玲奈
2015-09-21 8:49 ` Pablo Neira Ayuso
2015-09-21 15:30 ` 神楽坂玲奈
2015-09-21 20:03 ` Pablo Neira Ayuso
2015-09-22 2:21 ` 神楽坂玲奈
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.