Re: using sets as snat targets in nat tables

["Kamil Jońca" <kjonca@op.pl>]

Maximiliano Estudies <maxiestudies@gmail.com> writes:

> Hi,
> I'm trying to use a set as a snat target and failing. This is my config:
>
> table ip nat { # handle 73
> set dc-cidr-nat { # handle 3
> type ipv4_addr
> flags interval
> elements = { <internal-network> }
> }
>
> set external-ip-net { # handle 4
> type ipv4_addr
> elements = { <public-ip> }
> }
>
> chain POSTROUTING { # handle 1
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
> "internet gateway" # handle 7
> }
>
> This fails wtth "Error: syntax error, unexpected string, expecting ll
> or nh or th". Using an anonymous set doesn't work either, but hard
> coding the <external-ip> does. I can't find any hint in the wiki if
> sets are allowed in this context.

Set can have 0 elements or more than 1. What your poor computer should
do in these cases? where it should snat to?

IMO you shoould use kind of map:
table ip nat {

        map dhcp_snat {
                type iface_index : ipv4_addr
        }

        set dhcp_ifaces {
                type iface_index
        }

       
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oif @dhcp_ifaces rt ipsec missing snat to oif map @dhcp_snat
        }

}

here, when dhcp script put
  { "wlan0" } into dhcp_ifaces
  and
   { "wlan0" : 192.168.1.1 } into dhcp_snat
traffic outgoing via wlan0 will be snat-ed to 192.168.1.1
KJ


-- 
http://wolnelektury.pl/wesprzyj/teraz/