I have a wireguard network in which I want a "host" peer to forward some traffic to multiple network cameras in its local network. Said peer registers several IPs, and I want to use nftables to route traffic to a specific camera based on which of its IP is being accessed, as if the cameras themselves were on the wireguard network.
The reduced wireguard conf looks like this;
[Interface]
PrivateKey = [REDACTED]
Address = 10.10.0.1/24, 10.10.0.150/32, 10.10.0.151/32, 10.10.0.152/32, 10.10.0.153/32, 10.10.0.154/32 # ...
I then use nftables to set up the routing.
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
# various rules...
}
chain forward {
type filter hook forward priority filter; policy accept;
ct status dnat accept
iifname "wg0" accept
oifname "wg0" accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
ip daddr 10.10.0.150 iifname "wg0" tcp dport 80 dnat to 10.0.1.150
ip daddr 10.10.0.151 iifname "wg0" tcp dport 80 dnat to 10.0.1.151
ip daddr 10.10.0.152 iifname "wg0" tcp dport 80 dnat to 10.0.1.152
ip daddr 10.10.0.153 iifname "wg0" tcp dport 80 dnat to 10.0.1.153
ip daddr 10.10.0.154 iifname "wg0" tcp dport 80 dnat to 10.0.1.154
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" masquerade
}
}
I want to simplify the copy/pasting in the prerouting chain by use of maps, but I can't figure out how to actually use them. The documentation1 gives some short examples but I still don't understand it.
I can define a map easily enough;
define cameras = { \
10.10.0.150 : 10.0.1.150, \
10.10.0.151 : 10.0.1.151, \
10.10.0.152 : 10.0.1.152, \
10.10.0.153 : 10.0.1.153, \
10.10.0.154 : 10.0.1.154, \
}
But how do I actually apply it into a ip daddr {} iifname "wg0" tcp dport 80 dnat to {} expression?
