-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature request] support DNAT on the NAT output chain #24
Comments
Please post full ruleset list ( replace IP-s with IP1 IP2 IP3 as you already do) |
Not a thing.
This is the only difference (except for counters) after adding the DNAT rule |
That is somewhat contrary to how dnat is intended to work by standard nftables behaviour, i.e not in prerouting priority -100 If you want non-standard translation you need to use custom hooks like you already figured out. |
it is /usr/share/firewall4/templates/ruleset.uc that jumps via zone-jump.uc to a section with specific zone+hook+priority chain with respective rule. |
there is a picture in first linked doc - you might need to use postrouting to cover both output and forward traffic, each filter and action has range of af/type/hook/prio ranges that you really find in kernel and nft sources, nobody took to draw full diagram. |
Thanks for the suggestion. However, nft throws errors when loading my custom rule after changing from output to postrouting:
which indicates that DNAT on the postrouting chain is not valid/supported by nftables.
I took a glance at the fw4 implementation before creating this issue. DNAT rules are translated at firewall4/root/usr/share/ucode/fw4.uc Lines 2788 to 2795 in 698a533
firewall4/root/usr/share/firewall4/templates/ruleset.uc Lines 294 to 305 in 698a533
prerouting is hardcoded, i.e., fw4 is currently unable to handle DNAT on the output chain.
|
You can add hooks contradicting iptables and fw3 via own rule files. check ruleset
other firewall frameworks do not model config language after iptables and nobody gets idea it needs 1:1 reflection of backend. |
Yes, I pick the custom rule solution for now. Just think it would be a nice addition to fw4 so I propose here for discussion. |
Sure would be nice to have a rule entering hooks with numbers and anything that could appear in a rule, then test if the resulting hook+rule works when saving, but the situation is covered by existing includes already. Like zone->interface macros etc. |
I want to redirect all traffic from LAN to WAN IP1 (or an ipset) to WAN IP2. For now, this can be accomplished by the DNAT rule:
which will generate the following nftables rule:
However, the
dstnat_lan
chain is part of the nat postrouting chain so it will apply to devices behind the router, not the router itself.To enable the redirection for the router, I have to resort to a custom nftables rule:
Please make fw4 capable of generating DNAT rules on the nat output chain that suppresses my custom rule.
The text was updated successfully, but these errors were encountered: