Hey Benny!
----- ":read !uname -a" starts
Linux mikey 4.13.16 #1 SMP Mon Dec 4 23:14:59 UTC 2017 x86_64 Intel(R) Atom(TM)
CPU C2758 @ 2.40GHz GenuineIntel GNU/Linux
----- ":read !uname -a" ends
----- ":read !zgrep CONFIG_NFT /proc/config.gz" starts
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_RT=m
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_SET_RBTREE=m
CONFIG_NFT_SET_HASH=m
CONFIG_NFT_SET_BITMAP=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
CONFIG_NFT_REDIR_IPV6=m
----- ":read !zgrep CONFIG_NFT /proc/config.gz" ends
I tested nft out by creating this file;
----- /etc/sysconfig/ipv4-masq starts
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "eth0" masquerade
}
}
----- /etc/sysconfig/ipv4-masq ends
I then call it up from an rc script by adding these commands;
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/nft -f /etc/sysconfig/ipv4-masq
It worked but needs some further tweaking to only masquerade for the wlan0
interface to eth0 which is configured for a static ipv4 internet address. Also
I need to make it work on the machine/kernel where it actually matters;
----- ":read !ssh lmbrain 'uname -a'" starts
Linux lilmikey 4.14.3 #1 SMP Mon Dec 4 05:36:50 UTC 2017 x86_64 Intel(R)
Atom(TM) CPU N2800 @ 1.86GHz GenuineIntel GNU/Linux
----- ":read !ssh lmbrain 'uname -a'" ends
At the moment it is still using iptables to masquerade for the wireless to it's
internet connection. From what I've researched thus far it appears nft is the
preferred method over iptables or at least is becomming so. As for me, I
personally don't have an opinion on this matter but I am guessing at least
three of my neighbours whose so-called smartphones use the wireless to connect
to the internet do care ... although they are oblivious as to the potential
'upgrade'. ;-)
Anyhow I thought you might be interested.
Life is good,
Maurice
... Don't cry for me I have vi.
--- GNU bash, version 4.4.12(1)-release (x86_64-silvermont-linux-gnu)
* Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001)
|