openwrt
[feature request] support DNAT on the NAT output chain
I want to redirect all traffic from LAN to WAN IP1 (or an ipset) to WAN IP2. For now, this can be accomplished by the DNAT rule:
config redirect
option target 'DNAT'
option name 'IP1-IP2'
option family 'ipv4'
option src 'lan'
option ipset 'IPSET1'
option dest_ip 'IP2'
list proto 'all'
which will generate the following nftables rule:
chain dstnat_lan {
ip daddr @IPSET1 counter packets 0 bytes 0 dnat ip to IP2 comment "!fw4: IP1-IP2"
}
However, the dstnat_lan chain is part of the nat postrouting chain so it will apply to devices behind the router, not the router itself.
To enable the redirection for the router, I have to resort to a custom nftables rule:
chain user_pre_output_nat {
type nat hook output priority -1; policy accept;
ip daddr @IPSET1 counter dnat ip to IP2
}
Please make fw4 capable of generating DNAT rules on the nat output chain that suppresses my custom rule.
Please post full ruleset list ( replace IP-s with IP1 IP2 IP3 as you already do) There should be ct status dnat accept fw rules generated from your rule.
Please post full ruleset list ( replace IP-s with IP1 IP2 IP3 as you already do) There should be ct status dnat accept fw rules generated from your rule.
Not a thing.
chain dstnat_lan { ip daddr @IPSET1 counter packets 0 bytes 0 dnat ip to IP2 comment "!fw4: IP1-IP2" }
This is the only difference (except for counters) after adding the DNAT rule
That is somewhat contrary to how dnat is intended to work by standard nftables behaviour, i.e not in prerouting priority -100 https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Destination_NAT
If you want non-standard translation you need to use custom hooks like you already figured out.
it is /usr/share/firewall4/templates/ruleset.uc that jumps via zone-jump.uc to a section with specific zone+hook+priority chain with respective rule.
there is a picture in first linked doc - you might need to use postrouting to cover both output and forward traffic, each filter and action has range of af/type/hook/prio ranges that you really find in kernel and nft sources, nobody took to draw full diagram.
there is a picture in first linked doc - you might need to use postrouting to cover both output and forward traffic
Thanks for the suggestion. However, nft throws errors when loading my custom rule after changing from output to postrouting:
chain user_pre_postrouting_nat {
type nat hook postrouting priority -1; policy accept;
ip daddr @IPSET1 counter dnat ip to IP2
}
which indicates that DNAT on the postrouting chain is not valid/supported by nftables. In contrast, DNAT on the output chain is supported by nftables because it works regardless of whether documented or not, which suggests the reasonability to implement it in fw4.
it is /usr/share/firewall4/templates/ruleset.uc that jumps via zone-jump.uc to a section with specific zone+hook+priority chain with respective rule.
I took a glance at the fw4 implementation before creating this issue. DNAT rules are translated at https://github.com/openwrt/firewall4/blob/698a53354fd280aae097efe08803c0c9a10c14c2/root/usr/share/ucode/fw4.uc#L2788-L2795 and sourced in ruleset.uc by one of https://github.com/openwrt/firewall4/blob/698a53354fd280aae097efe08803c0c9a10c14c2/root/usr/share/firewall4/templates/ruleset.uc#L294-L305 where prerouting is hardcoded, i.e., fw4 is currently unable to handle DNAT on the output chain.
You can add hooks contradicting iptables and fw3 via own rule files.
check ruleset
fw4 check
fw4 print | nft -c -f -
other firewall frameworks do not model config language after iptables and nobody gets idea it needs 1:1 reflection of backend.
Yes, I pick the custom rule solution for now. Just think it would be a nice addition to fw4 so I propose here for discussion.
Sure would be nice to have a rule entering hooks with numbers and anything that could appear in a rule, then test if the resulting hook+rule works when saving, but the situation is covered by existing includes already. Like zone->interface macros etc.