On 29 October 2015 at 05:51, Johannes Ernst <johannes.ernst@xxxxxxxxx> wrote:
>> On Oct 28, 2015, at 16:15, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>>
>> You can probably contribute these examples to the wiki. Or I'd be
>> happy to get more or less generic scripts as examples that we can
>> place in the wiki.
>
> Once I figured out how to do what I want to do, I will definitely put it somewhere where others can find it.
>
>>> Now I’m attempting to add masquerading, and I’m failing:
>>>> nft add table nat
>>>> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
>>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>>>> nft add rule nat postrouting masquerade
>>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
>>> add rule nat postrouting masquerade
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>
>>> 1. This is copied straight from the wiki [1]. What am I doing wrong?
>>
>> The lines above work fine here.
>>
>> Masquerading was added in 3.18, what kernel version are you using?
>
> I’m on Arch, Linux 4.2.2 or thereabouts.
>
>> Moreover, make sure you also compiled masquerading support for nf_tables:
>>
>> CONFIG_NFT_MASQ=m
>
> Ahh, that might be it. The Arch build script is here [2] and I don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile tomorrow and see where that leads us.
>
this config option is from the linux kernel, for example:
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
> The other thing I’m still missing is where to attach the masquerade keyword. Is it on the incoming or outgoing interface or automagic? E.g. if my box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment), do I need to say something like “iifname enp2s0 masquerade”?
>
masquerading is a kind of source NAT, so only works in the output
path. In think you need this: 'oifname enp2s0 masquerade' in the nat
postrouting chain.
> Also, the example has a separate table ‘nat’. Can I just put the nat chain into my inet filter table, or does this have to be a separate table?
>
In nftables tables has no special semantic apart of storing chains.
Beware of families however, I doubt the inet family can hold NAT
stuff.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
