Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* Nat redirect using map
@ 2019-10-31 18:48 Daniel Huhardeaux
  2019-10-31 19:12 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel Huhardeaux @ 2019-10-31 18:48 UTC (permalink / raw)
  To: Netfilter list

Hi,

I have a map like this

map redirect_tcp {
                 type inet_service : inet_service
                 flags interval
                 elements = { 12345 : 12345, 36025 : smtp }
         }

and want to use nat redirect but it fail with unexpecting to, expecting 
EOF or semicolon. Here is the rule

nft add rule ip nat prerouting iif eth0 tcp dport map @redirect_tcp 
redirect to @redirect_tcp

How can I get this working ?

Other: when using dnat for forwarding, should I take care of forward rules ?

Example for this kind of rule from wiki:

nft add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat 
192.168.1.120

Thanks for any hint
-- 
TOOTAi Networks

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Nat redirect using map
  2019-10-31 18:48 Nat redirect using map Daniel Huhardeaux
@ 2019-10-31 19:12 ` Florian Westphal
  2019-11-01 15:11   ` Daniel Huhardeaux
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2019-10-31 19:12 UTC (permalink / raw)
  To: Daniel Huhardeaux; +Cc: Netfilter list

Daniel Huhardeaux <tech@tootai.net> wrote:
> Hi,
> 
> I have a map like this
> 
> map redirect_tcp {
>                 type inet_service : inet_service
>                 flags interval
>                 elements = { 12345 : 12345, 36025 : smtp }
>         }
> 
> and want to use nat redirect but it fail with unexpecting to, expecting EOF
> or semicolon. Here is the rule
> 
> nft add rule ip nat prerouting iif eth0 tcp dport map @redirect_tcp redirect
> to @redirect_tcp

This should work:
nft add rule ip nat prerouting iif eth0 ip protocol tcp redirect to : tcp dport map @redirect_tcp

> Other: when using dnat for forwarding, should I take care of forward rules ?
> 
> Example for this kind of rule from wiki:
> 
> nft add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat
> 192.168.1.120

You mean auto-accept dnatted connections? Try "ct status dnat accept"

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Nat redirect using map
  2019-10-31 19:12 ` Florian Westphal
@ 2019-11-01 15:11   ` Daniel Huhardeaux
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel Huhardeaux @ 2019-11-01 15:11 UTC (permalink / raw)
  To: Netfilter list

Le 31/10/2019 à 20:12, Florian Westphal a écrit :
> Daniel Huhardeaux <tech@tootai.net> wrote:
>> Hi,
>>
>> I have a map like this
>>
>> map redirect_tcp {
>>                  type inet_service : inet_service
>>                  flags interval
>>                  elements = { 12345 : 12345, 36025 : smtp }
>>          }
>>
>> and want to use nat redirect but it fail with unexpecting to, expecting EOF
>> or semicolon. Here is the rule
>>
>> nft add rule ip nat prerouting iif eth0 tcp dport map @redirect_tcp redirect
>> to @redirect_tcp
> 
> This should work:
> nft add rule ip nat prerouting iif eth0 ip protocol tcp redirect to : tcp dport map @redirect_tcp

Yes !

> 
>> Other: when using dnat for forwarding, should I take care of forward rules ?
>>
>> Example for this kind of rule from wiki:
>>
>> nft add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat
>> 192.168.1.120
> 
> You mean auto-accept dnatted connections? Try "ct status dnat accept"

Exactly what I was looking for, many thanks.

Daniel
-- 
TOOTAi Networks

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-31 18:48 Nat redirect using map Daniel Huhardeaux
2019-10-31 19:12 ` Florian Westphal
2019-11-01 15:11   ` Daniel Huhardeaux

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git