Hi,
I need to setup SNAT with static and predictable IP/port range
allocations for each client. In iptables this results in long list of
rules similar to:
-A POSTROUTING -p tcp -s 10.1.1.1 -j SNAT --to IP1:10000-10999
-A POSTROUTING -p tcp -s 10.1.1.2 -j SNAT --to IP2:10000-10999
-A POSTROUTING -p tcp -s 10.1.1.3 -j SNAT --to IP1:11000-11999
-A POSTROUTING -p tcp -s 10.1.1.4 -j SNAT --to IP2:11000-11999
...
(possibly with --random/--random-fully, separately for each protocol)
Is there any way to leverage nft maps to simplify such chain of rules?
As far as I can tell:
meta l4proto tcp snat to jhash ip saddr mod 2 map {
0 : IP1,
1 : IP2
} : ip saddr map {
10.1.1.1 : 10000,
10.1.1.2 : 10000,
...
} - ip saddr map {
10.1.1.1 : 10999,
10.1.1.2 : 10999,
...
}
does not work ("Error: syntax error, unexpected -, expecting newline or
semicolon").
Of course removing the part after the "-" makes it work, but it does not
solve the problem. Allocating a single port per IP is not ideal.
range_stmt_expr in src/parser_bison.y also does not make me feel
optimistic. It only parses "basic_stmt_expr" and as far as I can tell
map_stmt_expr are not part of this token.
Any ideas for accomplishing this task are welcome.
--
Best regards,
Jacek Kowalski
