Ipsets redirect and dest_ip

dxlr8r · November 28, 2023, 8:48pm

Hello, I cannot get this to work:

config ipset
	option name 'foobar'
	option family 'ipv4'
	list match 'dest_ip'
	list entry '192.168.10.30'

config redirect
	option dest 'home'
	option target 'DNAT'
	option name 'https to foobar'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option ipset 'foobar'
	option dest_port '443'

However if I replace

option ipset 'foobar'

With:

option dest_ip '192.168.10.30'

It works perfectly. Any ideas on what I do wrong here?

eduperez · November 28, 2023, 8:55pm

May I ask what is the point of using an ipset in this situation?

lleachii · November 28, 2023, 8:56pm

@dxlr8r - Yes, why are you attempting to redirect to a set?

I don't think that's possible.

dxlr8r · November 28, 2023, 8:58pm

I will reuse foobar/192.168.10.30 many places, but I plan to migrate that host to a different subnet. So I wanted to use ipsets so I would only need to update it from one place.

vgaetera · November 28, 2023, 9:55pm

fw4 converts the dest_ip IP set to src_dip match for redirects, so it no longer works as dest_ip.

dxlr8r · November 29, 2023, 6:32am

Based on this, I tried changing the ipset to src_ip, but sadly that did not work either.

eduperez · November 29, 2023, 9:42am

Well, ipsets are meant to be used to hold a set of IP addresses, and the destination of a redirect rule can only be a single IP address... so, even if you only keep a single IP address in that ipset, it does not make much sense that the destination is an ipset, does it?

I understand your need, but i do not think an ipset is the right solution (nor I know of a better alternative, unfortunately).

dxlr8r · November 29, 2023, 10:43am

I have been planing to put a template engine to create my configs. So that might be the solution, to have the IP as a variable in the template engine.

dxlr8r · November 29, 2023, 10:54am

On that topic, what is preferred template language/languages (if any) for writing UCI configuration?

_bernd · November 29, 2023, 11:12am

Nftables has variables. And the reload of nftables rules are atomic. With legacy iptables the only way was to insert one rule after another.

I don't know how UCI is able to use nftables variables but have a look at https://wiki.nftables.org/wiki-nftables/index.php/Scripting for the general native approache with nftables...

dxlr8r · November 29, 2023, 11:21am

I also found https://github.com/openwisp/netjsonconfig interesting, being JSON one could tie it together with a general purpose language, Jsonnet, etc.