From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Gennady Kovalev <gik@bigur.ru>
Cc: netfilter@vger.kernel.org
Subject: Re: Forward local traffic to another host with nftables
Date: Thu, 3 Nov 2016 17:25:15 +0100 [thread overview]
Message-ID: <20161103162515.GA3651@salvia> (raw)
In-Reply-To: <2117c0fd-7d34-0cdb-1d9a-3cb41528ce80@bigur.ru>
On Tue, Nov 01, 2016 at 12:36:39AM +0300, Gennady Kovalev wrote:
> 31.10.2016 22:24, Pablo Neira Ayuso wrote:
> >On Mon, Oct 31, 2016 at 08:33:57PM +0300, Геннадий Ковалёв wrote: >> I
> >have linux box (external ip x.x.x.x; internal bridge (br0) ip >>
> 10.0.2.1) with lxc container (10.0.2.22). I want to translate local >> http
> packet with daddr to public ip to lxc container. I have put >> dnat rule to
> nat chain with output hook, and snat rule to nat table >> with postrouting
> hook: > From > https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> > > "You have to register the prerouting chain even if you have no rules
> >there since this chain invokes the NAT engine for the packets coming > in the input path."
>
> Oh, I try to make example simple and make mistake in simple config. Another
> try:
>
> root@sed:~# nft list ruleset
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0; policy accept;
I can also see priority numbers don't match the same we use in
iptables. This should be:
priority -100
> }
>
> chain output {
> type nat hook output priority 0; policy accept;
> oif lo ip daddr x.x.x.x tcp dport http counter nftrace set 1
> dnat 10.0.2.22
> }
>
> chain postrouting {
> type nat hook postrouting priority 0; policy accept;
This should be:
priority 100
> oif br0 ip saddr x.x.x.x counter snat 10.0.2.1
> }
> }
>
> And cuted tcpdump output:
> IP 10.0.2.1.36320 > 10.0.2.22.80: Flags [S], seq 2655320356...
> IP 10.0.2.22.80 > x.x.x.x.36320: Flags [S.], seq 1337026682, ack
> 2655320357...
> IP x.x.x.x.36320 > 10.0.2.22.80: Flags [R], seq 2655320357...
>
> It looks like at reverse path ip changed by snat restored, but changed by
> dnat not.
Out of curiosity. Is iptable_nat load? If so, rmmod iptable_nat.
prev parent reply other threads:[~2016-11-03 16:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-31 17:33 Forward local traffic to another host with nftables Геннадий Ковалёв
2016-10-31 19:24 ` Pablo Neira Ayuso
2016-10-31 21:36 ` Gennady Kovalev
2016-11-03 16:25 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161103162515.GA3651@salvia \
--to=pablo@netfilter.org \
--cc=gik@bigur.ru \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.