After setting IPMasquerade = "yes";, the command nft list ruleset add the following to the output (in comparison to not setting IPMasquerade = "yes";):
table ip io.systemd.nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 10.201.0.0/24 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip saddr @masq_saddr masquerade
}
}
table ip6 io.systemd.nat {
set masq_saddr {
type ipv6_addr
flags interval
}
map map_port_ipport {
type inet_proto . inet_service : ipv6_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip6 saddr @masq_saddr masquerade
}
}
So I guess that is it, nft allows me to see that.
For information:
# iptables -t io.systemd.nat -L -v
iptables v1.8.7 (nf_tables): table 'io.systemd.nat' does not exist
Perhaps iptables or your kernel needs to be upgraded.
# iptables-legacy -t io.systemd.nat -L -v
iptables v1.8.7 (legacy): can't initialize iptables table `io.systemd.nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
However, I had to install nftables to be able to run the nft command. Would it not make sense that this program is installed by default if it is the new tool to manage the firewall?
What would you like me to open an issue for? You answered my question so I am not sure I understand.
Is it an issue for the fact that we cannot see the rule with iptables -t nat -L -v?
Well if you’ve asked this question and are confused, then others will more likely be confused.
So, it either needs patching, options are (there are more options)
the nft tools are brought in with nft subsystem, however devops type people like there system ultra light without external tools!!! .
iptables need integrating with nft to work as legacy commands
iptables needs to give you a warning to use nft tools, if nft subsystem is enabled
This might be on the tracker already, i’ve not checked yet.
But its not always about answering your question, it’s about making nixos better for the fame , the glory (and potentially fortune) that comes with it.
