Thanks all, I've nftables working, I'm playing with some rule.
I'm trying on my gateway to do NAT with SNAT (masquerading is not
implemented yet) with this rule:
table ip nat {
chain postrouting {
type nat hook postrouting priority 0;
oif eth0 snat $eth0
}
}
$eth0 is the outgoing ethernet ip address.
if from a PC I try to ping 8.8.8.8 I can sniff on the gateway the
outgoing ICMP with the correct address $eth0,
but the replies aren't forwarded back to the PC.
Is the snat target supposed to do also connection tracking?
2014-02-26 17:34 GMT+01:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> On Wed, Feb 26, 2014 at 05:26:58PM +0100, Matteo Croce wrote:
>> What module I'm missing now?
>>
>> # nft list table global
>> table ip global {
>> chain one {
>> type filter hook input priority 0;
>> }
>> }
>>
>> # nft add set global ipv4_ad \{ type ipv4_address \; \}
>> internal:0:0-0: Error: Could not add set: Operation not supported
>
> nft_hash 12900 0
> nft_rbtree 12808 1
> nf_tables 42349 3 nf_tables_ipv4,nft_hash,nft_rbtree
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
