Kernel modules are ok now, but I can’t get “out” from my LAN via masquerade if I say 'oifname enp2s0 masquerade'.
It does seem to work without the oifname. But how does nftables decide which of the interfaces need to be masqueraded if I don’t provide such a conditional?
This is what I have:
enp2s0: 192.168.138.125 (towards ‘upstream’)
enp3s0: 192.168.150.1 (‘LAN’)
> nft list tables
table ip nat
> nft list table ip nat
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
oifname “enp2s0” masquerade
}
}
My ‘LAN’ test machine has 192.168.150.239. It can ping 192.168.150.1 and 192.168.138.125, but nothing further upstream.
My ‘gateway’ can ping upstream and the LAN test machine.
Again, it seems to work if I drop the 'oifname “enp2s0”' in front of the masquerade.
Thanks,
Johannes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
