Linux Netfilter discussions
 help / color / mirror / Atom feed
* using sets as snat targets in nat tables
@ 2022-04-25 15:08 Maximiliano Estudies
  2022-04-25 17:54 ` Kamil Jońca
  0 siblings, 1 reply; 3+ messages in thread
From: Maximiliano Estudies @ 2022-04-25 15:08 UTC (permalink / raw)
  To: netfilter

Hi,
I'm trying to use a set as a snat target and failing. This is my config:

table ip nat { # handle 73
set dc-cidr-nat { # handle 3
type ipv4_addr
flags interval
elements = { <internal-network> }
}

set external-ip-net { # handle 4
type ipv4_addr
elements = { <public-ip> }
}

chain POSTROUTING { # handle 1
type nat hook postrouting priority srcnat; policy accept;
ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
"internet gateway" # handle 7
}

This fails wtth "Error: syntax error, unexpected string, expecting ll
or nh or th". Using an anonymous set doesn't work either, but hard
coding the <external-ip> does. I can't find any hint in the wiki if
sets are allowed in this context.

OS: Linux version 5.4.0-107-generic (buildd@lcy02-amd64-058) (gcc
version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1))
nftables version: v0.9.3 (Topsy)

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: using sets as snat targets in nat tables
  2022-04-25 15:08 using sets as snat targets in nat tables Maximiliano Estudies
@ 2022-04-25 17:54 ` Kamil Jońca
  2022-04-26  7:38   ` Maximiliano Estudies
  0 siblings, 1 reply; 3+ messages in thread
From: Kamil Jońca @ 2022-04-25 17:54 UTC (permalink / raw)
  To: netfilter

Maximiliano Estudies <maxiestudies@gmail.com> writes:

> Hi,
> I'm trying to use a set as a snat target and failing. This is my config:
>
> table ip nat { # handle 73
> set dc-cidr-nat { # handle 3
> type ipv4_addr
> flags interval
> elements = { <internal-network> }
> }
>
> set external-ip-net { # handle 4
> type ipv4_addr
> elements = { <public-ip> }
> }
>
> chain POSTROUTING { # handle 1
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
> "internet gateway" # handle 7
> }
>
> This fails wtth "Error: syntax error, unexpected string, expecting ll
> or nh or th". Using an anonymous set doesn't work either, but hard
> coding the <external-ip> does. I can't find any hint in the wiki if
> sets are allowed in this context.

Set can have 0 elements or more than 1. What your poor computer should
do in these cases? where it should snat to?

IMO you shoould use kind of map:
table ip nat {

        map dhcp_snat {
                type iface_index : ipv4_addr
        }

        set dhcp_ifaces {
                type iface_index
        }

       
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oif @dhcp_ifaces rt ipsec missing snat to oif map @dhcp_snat
        }

}

here, when dhcp script put
  { "wlan0" } into dhcp_ifaces
  and
   { "wlan0" : 192.168.1.1 } into dhcp_snat
traffic outgoing via wlan0 will be snat-ed to 192.168.1.1
KJ


-- 
http://wolnelektury.pl/wesprzyj/teraz/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: using sets as snat targets in nat tables
  2022-04-25 17:54 ` Kamil Jońca
@ 2022-04-26  7:38   ` Maximiliano Estudies
  0 siblings, 0 replies; 3+ messages in thread
From: Maximiliano Estudies @ 2022-04-26  7:38 UTC (permalink / raw)
  To: netfilter

El mar, 26 abr 2022 a las 1:33, Kamil Jońca (<kjonca@op.pl>) escribió:
>
> Maximiliano Estudies <maxiestudies@gmail.com> writes:
>
> > Hi,
> > I'm trying to use a set as a snat target and failing. This is my config:
> >
> > table ip nat { # handle 73
> > set dc-cidr-nat { # handle 3
> > type ipv4_addr
> > flags interval
> > elements = { <internal-network> }
> > }
> >
> > set external-ip-net { # handle 4
> > type ipv4_addr
> > elements = { <public-ip> }
> > }
> >
> > chain POSTROUTING { # handle 1
> > type nat hook postrouting priority srcnat; policy accept;
> > ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
> > "internet gateway" # handle 7
> > }
> >
> > This fails wtth "Error: syntax error, unexpected string, expecting ll
> > or nh or th". Using an anonymous set doesn't work either, but hard
> > coding the <external-ip> does. I can't find any hint in the wiki if
> > sets are allowed in this context.
>
> Set can have 0 elements or more than 1. What your poor computer should
> do in these cases? where it should snat to?
>
> IMO you shoould use kind of map:
> table ip nat {
>
>         map dhcp_snat {
>                 type iface_index : ipv4_addr
>         }
>
>         set dhcp_ifaces {
>                 type iface_index
>         }
>
>
>         chain POSTROUTING {
>                 type nat hook postrouting priority srcnat; policy accept;
>                 oif @dhcp_ifaces rt ipsec missing snat to oif map @dhcp_snat
>         }
>
> }
>
> here, when dhcp script put
>   { "wlan0" } into dhcp_ifaces
>   and
>    { "wlan0" : 192.168.1.1 } into dhcp_snat
> traffic outgoing via wlan0 will be snat-ed to 192.168.1.1
> KJ
>
>
> --
> http://wolnelektury.pl/wesprzyj/teraz/

Thanks for you answer Kamil! Your proposed solution is very elegant. I
didn't know that sets can be empty and asumed that if the set > 1 the
addresses would be treated as a pool. I'm rendering the config with a
config management tool that doesn't supports maps in the nftables
module, I'll try to extend it.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-26  7:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-25 15:08 using sets as snat targets in nat tables Maximiliano Estudies
2022-04-25 17:54 ` Kamil Jońca
2022-04-26  7:38   ` Maximiliano Estudies

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox