El mar, 26 abr 2022 a las 1:33, Kamil Jońca (<kjonca@xxxxx>) escribió:
>
> Maximiliano Estudies <maxiestudies@xxxxxxxxx> writes:
>
> > Hi,
> > I'm trying to use a set as a snat target and failing. This is my config:
> >
> > table ip nat { # handle 73
> > set dc-cidr-nat { # handle 3
> > type ipv4_addr
> > flags interval
> > elements = { <internal-network> }
> > }
> >
> > set external-ip-net { # handle 4
> > type ipv4_addr
> > elements = { <public-ip> }
> > }
> >
> > chain POSTROUTING { # handle 1
> > type nat hook postrouting priority srcnat; policy accept;
> > ip saddr @dc-cidr-nat oif "enp1s0f0" snat to @external-ip-net comment
> > "internet gateway" # handle 7
> > }
> >
> > This fails wtth "Error: syntax error, unexpected string, expecting ll
> > or nh or th". Using an anonymous set doesn't work either, but hard
> > coding the <external-ip> does. I can't find any hint in the wiki if
> > sets are allowed in this context.
>
> Set can have 0 elements or more than 1. What your poor computer should
> do in these cases? where it should snat to?
>
> IMO you shoould use kind of map:
> table ip nat {
>
> map dhcp_snat {
> type iface_index : ipv4_addr
> }
>
> set dhcp_ifaces {
> type iface_index
> }
>
>
> chain POSTROUTING {
> type nat hook postrouting priority srcnat; policy accept;
> oif @dhcp_ifaces rt ipsec missing snat to oif map @dhcp_snat
> }
>
> }
>
> here, when dhcp script put
> { "wlan0" } into dhcp_ifaces
> and
> { "wlan0" : 192.168.1.1 } into dhcp_snat
> traffic outgoing via wlan0 will be snat-ed to 192.168.1.1
> KJ
>
>
> --
> http://wolnelektury.pl/wesprzyj/teraz/
Thanks for you answer Kamil! Your proposed solution is very elegant. I
didn't know that sets can be empty and asumed that if the set > 1 the
addresses would be treated as a pool. I'm rendering the config with a
config management tool that doesn't supports maps in the nftables
module, I'll try to extend it.
