[PATCH] fw4: add masquerade-prefix snat type
Jonas Lochmann
openwrt at jonaslochmann.de
Sun Oct 26 07:46:58 PDT 2025
Am Sun, Oct 26, 2025 at 10:40:25AM -0300, schrieb Luiz Angelo Daros de Luca:
> > > + if (best_prefix != null) {
> > > + let base_addr = apply_mask(best_prefix.addr, best_prefix.mask);
> > > + let suffix_mask = to_inverse_mask(best_prefix.bits, true);
> > > + let target = "snat ip6 to ip6 saddr and " + suffix_mask + " or " + base_addr;
>
> I didn't try the patch in a real device but it looks like it is using
> a different approach than the one I'm using. In my case, I have:
>
> nft add rule inet fw4 srcnat_netmap oifname "$DEVICE" snat ip6 prefix
> to ip6 saddr map { $ip6addr : $ip6prefix/$ip6prefix_mask }
Those $variables are not part of nftables (well, they are also supported
when parsing nft files, but not with "nft add rule" from the CLI). So I
assume that you have a shell script defining these (which is comparable
to inserting the values in fw4). You could check the "rendered" ruleset
with "nft list ruleset".
> I don't know if it is better or worse but it explicitly cites the
> prefix in the rule.
let target = "snat ip6 prefix to " + best_prefix.addr + "/" + best_prefix.mask;
This untested version would use this feature too instead of the manual
bit operations on the IP.
I don't know why you have that map with only one item in your rule.
If $ip6addr filters your "local" subnet (not a single IP), it would work.
Still, I consider it equivalent to
nft add rule inet fw4 srcnat_netmap oifname "$DEVICE" \
ip6 saddr $ip6addr snat ip6 prefix to $ip6prefix/$ip6prefix_mask
More information about the openwrt-devel
mailing list