Re: nftables snat map with ports

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Sat, 23 Apr 2022 18:11:24 +0200



On Fri, Apr 22, 2022 at 08:22:25PM -0300, Patrick Brandão wrote:
> Hi Pablo,
> 
> first, congratulations for the great work on the netfilter project.
> 
> After seeing your presentation at
> https://people.netfilter.org/pablo/nft-tutorial.pdf
> I have a question (and a problem):
> Is it possible to map networks and ports on the snat map?
> 
> # Example: 100.80.0.0/30 snat to 45.255.128.0/30
> add rule ip nat POSTROUTING snat ip prefix to ip saddr map {
> 100.80.0.0/30:45.255.128.0/30 }
> 
> # Solution need: 100.80.0.0/30 snat to 45.255.128.0/30 ports 1000-2000
> add rule ip nat POSTROUTING snat ip prefix to ip saddr map {
> 100.80.0.0/30:45.255.128.0/30 tcp 1000-2000 }
> 
> Is it possible to do something like this?

add rule x y meta l4proto tcp snat ip prefix to ip saddr map { 100.80.0.0/30 : 45.255.128.0/30 . 1000-2000 }