|
 |
f1d1c0 |
# Sample configuration snippet for nftables service.
|
|
|
f1d1c0 |
# Meant to be included by main.nft, not for direct use.
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# dedicated table for IPv4
|
|
|
f1d1c0 |
table ip nftables_svc {
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# interfaces to masquerade traffic from
|
|
|
f1d1c0 |
set masq_interfaces {
|
|
|
f1d1c0 |
type ifname
|
|
|
f1d1c0 |
elements = { "virbr0" }
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# networks to masquerade traffic from
|
|
|
f1d1c0 |
# 'interval' flag is required to support subnets
|
|
|
f1d1c0 |
set masq_ips {
|
|
|
f1d1c0 |
type ipv4_addr
|
|
|
f1d1c0 |
flags interval
|
|
|
f1d1c0 |
elements = { 192.168.122.0/24 }
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# base-chain to manipulate conntrack in postrouting,
|
|
|
f1d1c0 |
# will see packets for new or related traffic only
|
|
|
f1d1c0 |
chain POSTROUTING {
|
|
|
f1d1c0 |
type nat hook postrouting priority srcnat + 20
|
|
|
f1d1c0 |
policy accept
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
iifname @masq_interfaces oifname != @masq_interfaces masquerade
|
|
|
f1d1c0 |
ip saddr @masq_ips masquerade
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
}
|