I'm rebuilding my router using nftables on debian jessie. I have a working setup up to the moment where my ISP decides to reassign a new WAN IP by reconnecting my DSL-link. After such a reconnect the router itself has an online connection, but masquerading doesn't work any more.
nftable setup before reconnect:
# nft list table nat
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif ppp0 masquerade
}
}
nftable setup after reconnect:
# nft list table nat
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif 8 masquerade
}
}
So I assume the downtime of ppp0 during the reconnect causes the related rules to be some kind of unassigned. Manually re-applying the nft rules (flush + add) solves this problem until the next reconnect.
How can I ensure the temporarily disabled rules will be automatically reassigned to ppp0 after the connection has been re-established?
I finally figured out how to solve this issue.
You just have to use
iifname/oifname "ppp0"instead ofoif/iif ppp0. The latter addresses the interface by string rather than using the interface id. The quotes are optional, but I think it emphasizes the different interpretation well.The manpage simply states:
I don't know if there's any downside like performance impacts when matching, but it feels like it's the correct solution.