Salt configuration for nftables prerouting

Question

I'm trying to configure a nftables-rule for forwarding traffic from my server to a LXC container, however, the way that the salt states module for dport renders the given value is not accepted by nftables. How should I proceed?

Salt configuration:

kevin-container-web-port-http:
  nftables.append:
    - family: ip
    - table: nat
    - chain: PREROUTING
    - priority: 100
    - iif: eth0
    - dport: '80, 443'
    - proto: tcp
    - to: '10.0.3.32'
    - jump: dnat

Output from state.apply:

      ID: kevin-container-web-port-http
Function: nftables.append
  Result: False
 Comment: Failed to set nftables rule for kevin-container-web-port-http.
          Attempted rule was tcp dport { 80, 443 } dnat for ip.
          Failed to add rule "tcp dport { 80, 443 } dnat" chain PREROUTING in table nat in family ip.
 Started: 17:36:42.821866
Duration: 154.261 ms
 Changes:

When trying to add the rule manually:

$ nft add rule nat prerouting iif eth0 tcp dport 80 dnat 10.0.3.32
$ nft list table nat
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority -100; policy accept;
        iif "eth0" tcp dport { http, https } dnat to 10.0.3.32
    }

    ...

}

score 1 · Accepted Answer · answered Nov 29 '19 at 17:02

After extensively reading the man pages for nftables I decided to try adding the to field in the jump argument. The configuration works with the following setup:

kevin-container-web-port-http:
  nftables.append:
    - family: ip
    - table: nat
    - chain: PREROUTING
    - iif: eth0
    - dport: 80
    - proto: tcp
    - jump: dnat to 10.0.3.32:80

Salt configuration for nftables prerouting

1 Answers1