support to split network from host

root@daniel-book:~# iptables -t nat -S XTT_pos-example
-N XTT_pos-example
-A XTT_pos-example -d 169.254.222.0/24 -m set --match-set xtt_example_r src -m comment --comment "To VPN" -j MASQUERADE
-A XTT_pos-example -s 172.66.99.0/24 -m set --match-set xtt_example_r dst -m comment --comment "To Masq" -j MASQUERADE
-A XTT_pos-example -s 169.254.222.0/24 -m mark --mark 0xa -m set --match-set xtt_example_v dst -m comment --comment "From VPN" -j MASQUERADE
root@daniel-book:~#

root@daniel-book:~# iptables -S -t raw -L XTT_pre-example
-A XTT_pre-example -i tun1025 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i br-example -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i tun1025 -j CT --zone mark
-A XTT_pre-example -i br-example -j CT --zone mark
-A XTT_pre-example -i b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# iptables -t raw -S XTT_out-example
-N XTT_out-example
-A XTT_out-example -o b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_out-example -o b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# conntrack -L | grep icmp
conntrack v1.4.5 (conntrack-tools): 31 flow entries have been shown.
icmp     1 18 src=172.66.99.10 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=20752 mark=0 zone=10 use=1
icmp     1 18 src=169.254.222.6 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=55967 mark=0 zone=10 use=1
root@daniel-book:~#

luscis / openlan

support to split network from host #24