Max Ehrlich <max.ehr@gmail.com> writes:

> Just to put some more context, I was able to do this using a map and a
> set as follows:
>
> ```
> define dnat_targets = {
> 80 : 10.0.10.1 . 8080,
> 25565 : 10.0.10.8 . 25565
> }
>
> define dnat_allowed = {
> 10.0.10.1 . 8080,
> 10.0.10.8 . 25565
> }
>
> [...]
>
> table inet filter {
> set dnat_allowed {
> type ipv4_addr . inet_service
> elements = $dnat_allowed
> }
>
> chain forward {
> ip daddr . tcp dport @dnat_allowed accept
> }
> }
> ```
>
> however note that values of the map `dnat_targets` is the same as the
> set `dnat_allowed`, I wonder if there is a way to do this with only
> the map `dnat_targets`? Something like using only the values of the
> map as a set?

FWIW in filter you can just say "allow anything I already DNATted":

    # xtables, annoying explicit way
    -A FORWARD -p tcp --dports http,https -d www -j ACCEPT
    -A FORWARD -p tcp --dports imaps,submission -d mail -j ACCEPT
    ...

    # xtables, easy way
    -A FORWARD --ctstate DNAT -j ACCEPT

    # nft, easy way
    ct status dnat  accept

A full ruleset might look like this (attached):