31.10.2016 22:24, Pablo Neira Ayuso wrote:
On Mon, Oct 31, 2016 at 08:33:57PM +0300, Геннадий Ковалёв wrote: >> I have linux box (external ip x.x.x.x; internal bridge (br0) ip >>
10.0.2.1) with lxc container (10.0.2.22). I want to translate local >>
http packet with daddr to public ip to lxc container. I have put >> dnat
rule to nat chain with output hook, and snat rule to nat table >> with
postrouting hook: > From >
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> > "You have to register the prerouting chain even if you have no rules
there since this chain invokes the NAT engine for the packets coming > in the input path."
Oh, I try to make example simple and make mistake in simple config.
Another try:
root@sed:~# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain output {
type nat hook output priority 0; policy accept;
oif lo ip daddr x.x.x.x tcp dport http counter nftrace
set 1 dnat 10.0.2.22
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
oif br0 ip saddr x.x.x.x counter snat 10.0.2.1
}
}
And cuted tcpdump output:
IP 10.0.2.1.36320 > 10.0.2.22.80: Flags [S], seq 2655320356...
IP 10.0.2.22.80 > x.x.x.x.36320: Flags [S.], seq 1337026682, ack
2655320357...
IP x.x.x.x.36320 > 10.0.2.22.80: Flags [R], seq 2655320357...
It looks like at reverse path ip changed by snat restored, but changed
by dnat not.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
