On Wed, May 24, 2017 at 11:49:04AM +0200, Arturo Borrero Gonzalez wrote:
> On 24 May 2017 at 11:30, Zheng konia <konianet@xxxxxxxxx> wrote:
> > Hi, I do have read your wiki.
> >
> > However, there's less example about DNAT --to-destination-port range.
> > You do have examples about to different destination, while I am
> > looking for the different destination-port balance.
> >
> > Any suggestion?
> >
>
> Try something like this:
>
> nft add rule t c ip protocol tcp dnat to 192.168.1.100 : numgen inc
> mod 2 map { 0 : 4040 , 1 : 4050 }
> (i.e, the destination address doesn't change, but port does)
>
> We can update the wiki if that works.
BTW, depending on your environment, you may want to use a stateless
NAT approach too that should be faster, eg.
nft add rule t c ip protocol ip daddr set 192.168.1.100 \
tcp dport set numgen inc mod 2 map { 0 : 4040 , 1 : 4050 }
This requires a recent Linux kernel though.
Note: Beware with stateless NAT, it only works with 1:1 mappings, it's
easy to shoot yourself on your own feet... Otherwise, stick to the
stateful approach.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
