Maximiliano Estudies <maxiestudies@xxxxxxxxx> writes:
> Hi,
> I'm trying to use a set as a snat target and failing. This is my config:
>
> table ip nat { # handle 73
> set dc-cidr-nat { # handle 3
> type ipv4_addr
> flags interval
> elements = { <internal-network> }
> }
>
> set external-ip-net { # handle 4
> type ipv4_addr
> elements = { <public-ip> }
> }
>
> chain POSTROUTING { # handle 1
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
> "internet gateway" # handle 7
> }
>
> This fails wtth "Error: syntax error, unexpected string, expecting ll
> or nh or th". Using an anonymous set doesn't work either, but hard
> coding the <external-ip> does. I can't find any hint in the wiki if
> sets are allowed in this context.
Set can have 0 elements or more than 1. What your poor computer should
do in these cases? where it should snat to?
IMO you shoould use kind of map:
table ip nat {
map dhcp_snat {
type iface_index : ipv4_addr
}
set dhcp_ifaces {
type iface_index
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oif @dhcp_ifaces rt ipsec missing snat to oif map @dhcp_snat
}
}
here, when dhcp script put
{ "wlan0" } into dhcp_ifaces
and
{ "wlan0" : 192.168.1.1 } into dhcp_snat
traffic outgoing via wlan0 will be snat-ed to 192.168.1.1
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
