On 30 July 2016 at 14:07, Imran Geriskovan <imran.geriskovan@xxxxxxxxx> wrote:
> Hi... To control my outgoing traffic, I've redirected it to a local
> proxy like this:
>
> iptables -t nat -A OUTPUT -p tcp --dport XX -m owner --uid-owner imran
> -j DNAT --to 127.0.0.1:YY
>
> What's its equivalent on nftables?
>
> As I explore my options, I've tried the following
> without success. Is DNAT on Output unsupported on nftables?
>
> I'm on Kernel 4.6.4. Looking at Arch Linux default kernel config,
> I see everything is included for netfilter/nftables/iptables, etc..
>
> Thanks for your comments...
>
> chain out {
> type filter hook output priority 0; policy drop;
> meta skuid imran tcp dport XX counter dnat 127.0.0.1:YY # jump natout
> }
> # Gives error with DNAT
> # If I change DNAT with JUMP, error is gone. But it doesn't do anything.
>
> chain natout {
> tcp dport XX counter dnat 127.0.0.1:YY # counts nothing!
> counter # counts same as the counter at out
> }
perhaps the error is your base chain: seems to be of type filter.
Please, read the nftables wiki [0][1].
[0] https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
[1] https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
