[Bug 1410] STATELESS, rules with notrack into a map
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Apr 16 10:56:24 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #6)
> (In reply to Pablo Neira Ayuso from comment #5)
> > (In reply to Pablo Neira Ayuso from comment #3)
> > [...]
> > > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> > > >
> > > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> > > > rewrite source address to 1.1.1.1 and so on.
> > >
> > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
> > > 1.1.1.2 : 2.2.2.3 } notrack
> >
> > Assuming the legacy table/chains, you can use posrtouting/mangle for the
> > stateless dnat
>
> You will still still to disable conntrack from PREROUTING for stateless
> dnat, so this would be:
This example is actually stateless snat, sorry for the typo.
> nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack
>
> The rule above disables conntrack for traffic coming from 1.1.1.1 and
> 1.1.1.2, then:
>
> nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 :
> 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
>
> This rule performs the stateless snat.
>
> I can place these examples in the wiki if you like.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200416/b099541c/attachment.html>
More information about the netfilter-buglog
mailing list