From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Max Ehrlich <max.ehr@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Simplifying DNAT Rules using Maps
Date: Sun, 7 Jun 2020 23:40:08 +0200 [thread overview]
Message-ID: <20200607214008.GB24054@salvia> (raw)
In-Reply-To: <CAPyx93x8RtJA8ghab2W630WwpHZP+K-dA26SWkj7+wstasM5mw@mail.gmail.com>
On Wed, Jun 03, 2020 at 12:08:50PM -0400, Max Ehrlich wrote:
> Hi,
>
> I'm switching from iptables to nftables, specifically from a high
> level translator (awall) to using nftables directly since the
> scripting environment is so expressive.
>
> I have quite a few ipv4 DNAT rules that I need to translate, and they
> all have a similar form like the following for a web service:
>
> table ip nat {
> chain prerouting {
> ip daddr != 10.0.0.0/8 fib daddr type local tcp dport http dnat
> 10.1.1.112:8080
> }
>
> chain postrouting {
> ip saddr 10.0.0.0/8 ip daddr 10.1.1.112 tcp dport 8080 masquerade
> }
> }
>
> table ip filter {
> chain forward {
> ip daddr 10.1.1.112 tcp dport 8080 accept
> }
> }
>
> I want to simplify this using a map so that I can add services to the
> map instead of having to copy all three rules every time. Something
> like this
>
> table ip nat {
> map dnat_services {
> type inet_service: ipv4_addr . inet_service
> elements = {
> http: 10.1.1.112 . 8080
> }
> }
>
> chain prerouting {
> ip daddr != 10.0.0.0/8 fib daddr type local dnat tcp dport map
> @dnat_services
> }
> ...
>
> would be great but it seems like the dnat target doesnt accept
> concatenations. I get that this can be done with two maps but it makes
> it quite ugly to write although there are performance benefits. Also I
> have no idea what to do about the filter and masquerade rules. For
> example
>
> chain postrouting {
> ip saddr 10.0.0.0/8 ip daddr tcp dport map @dnat_services masquerade
> }
>
> doesn't parse (my assumption was this would have been that the ip
> daddr would be the result of looking up the tcp dport in the given
> map, it matches the dnat syntax)
>
> So is there a cleaner way to write these rules using maps?
This is supported since nftables >= 0.9.4
# cat ruleset.nft
table ip nat {
map destinations {
type ipv4_addr . inet_service : ipv4_addr . inet_service
}
chain f {
type nat hook postrouting priority srcnat; policy accept;
snat ip addr . port to ip daddr . tcp dport map @destinations
}
}
# nft -f ruleset.nft
Then, you can add elements to the `destinations' map that contains the
mapping.
nft add element ip nat destinations { 1.1.1.1 . 80 : 2.2.2.2 . 443 }
next prev parent reply other threads:[~2020-06-07 21:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 16:08 Simplifying DNAT Rules using Maps Max Ehrlich
2020-06-07 21:40 ` Pablo Neira Ayuso [this message]
2020-06-08 13:42 ` Max Ehrlich
2020-06-08 14:13 ` Max Ehrlich
2020-06-11 6:43 ` Trent W. Buck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200607214008.GB24054@salvia \
--to=pablo@netfilter.org \
--cc=max.ehr@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.