From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Max Ehrlich <max.ehr@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Simplifying DNAT Rules using Maps
Date: Sun, 7 Jun 2020 23:40:08 +0200 [thread overview]
Message-ID: <20200607214008.GB24054@salvia> (raw)
In-Reply-To: <CAPyx93x8RtJA8ghab2W630WwpHZP+K-dA26SWkj7+wstasM5mw@mail.gmail.com>
On Wed, Jun 03, 2020 at 12:08:50PM -0400, Max Ehrlich wrote:
> Hi,
>
> I'm switching from iptables to nftables, specifically from a high
> level translator (awall) to using nftables directly since the
> scripting environment is so expressive.
>
> I have quite a few ipv4 DNAT rules that I need to translate, and they
> all have a similar form like the following for a web service:
>
> table ip nat {
> chain prerouting {
> ip daddr != 10.0.0.0/8 fib daddr type local tcp dport http dnat
> 10.1.1.112:8080
> }
>
> chain postrouting {
> ip saddr 10.0.0.0/8 ip daddr 10.1.1.112 tcp dport 8080 masquerade
> }
> }
>
> table ip filter {
> chain forward {
> ip daddr 10.1.1.112 tcp dport 8080 accept
> }
> }
>
> I want to simplify this using a map so that I can add services to the
> map instead of having to copy all three rules every time. Something
> like this
>
> table ip nat {
> map dnat_services {
> type inet_service: ipv4_addr . inet_service
> elements = {
> http: 10.1.1.112 . 8080
> }
> }
>
> chain prerouting {
> ip daddr != 10.0.0.0/8 fib daddr type local dnat tcp dport map
> @dnat_services
> }
> ...
>
> would be great but it seems like the dnat target doesnt accept
> concatenations. I get that this can be done with two maps but it makes
> it quite ugly to write although there are performance benefits. Also I
> have no idea what to do about the filter and masquerade rules. For
> example
>
> chain postrouting {
> ip saddr 10.0.0.0/8 ip daddr tcp dport map @dnat_services masquerade
> }
>
> doesn't parse (my assumption was this would have been that the ip
> daddr would be the result of looking up the tcp dport in the given
> map, it matches the dnat syntax)
>
> So is there a cleaner way to write these rules using maps?
This is supported since nftables >= 0.9.4
# cat ruleset.nft
table ip nat {
map destinations {
type ipv4_addr . inet_service : ipv4_addr . inet_service
}
chain f {
type nat hook postrouting priority srcnat; policy accept;
snat ip addr . port to ip daddr . tcp dport map @destinations
}
}
# nft -f ruleset.nft
Then, you can add elements to the `destinations' map that contains the
mapping.
nft add element ip nat destinations { 1.1.1.1 . 80 : 2.2.2.2 . 443 }
next prev parent reply other threads:[~2020-06-07 21:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 16:08 Simplifying DNAT Rules using Maps Max Ehrlich
2020-06-07 21:40 ` Pablo Neira Ayuso [this message]
2020-06-08 13:42 ` Max Ehrlich
2020-06-08 14:13 ` Max Ehrlich
2020-06-11 6:43 ` Trent W. Buck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200607214008.GB24054@salvia \
--to=pablo@netfilter.org \
--cc=max.ehr@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox