define nic = xenbr0 flush ruleset # stateless and casual outbound nat (mangle has higher priority) #table ip nat { # # SNAT # chain postrouting { # type nat hook postrouting priority srcnat; # oif $nic ip saddr 10.5.5.0/24 notrack snat 192.168.122.12; # } #} # spoof the other node on the way back table ip mangle { # DIY-DNAT chain prerouting { type filter hook prerouting priority mangle; # node2 iif $nic tcp dport 80 notrack ip daddr set 10.5.5.201 ip dscp set cs2 iif $nic tcp dport 1234 notrack ip daddr set 10.5.5.201 ip dscp set cs2 iif $nic udp dport 1234 notrack ip daddr set 10.5.5.201 ip dscp set cs2 iif $nic tcp dport 2201 notrack ip daddr set 10.5.5.201 tcp dport set 22 ip dscp set cs2 iif $nic tcp dport 2202 notrack ip daddr set 10.5.5.202 tcp dport set 22 ip dscp set cs2 } # DIY-SNAT chain postrouting { type filter hook postrouting priority mangle; oif $nic ip saddr 10.5.5.201/32 notrack tcp sport 22 tcp sport set 2201 oif $nic ip saddr 10.5.5.202/32 notrack tcp sport 22 tcp sport set 2202 oif $nic ip saddr 10.5.5.0/24 notrack ip dscp cs1 ip saddr set 192.168.122.11 oif $nic ip saddr 10.5.5.0/24 notrack ip dscp cs2 ip saddr set 192.168.122.12 } } table netdev filter { chain egress { type filter hook egress devices = { eth1.100, eth2.100 } priority -500; arp saddr ip 10.5.5.254 drop arp daddr ip 10.5.5.254 drop } } define guestnic = tap0 # reverse iif<>oif table inet mangle { chain prerouting { type filter hook prerouting priority -150; oif $guestnic ip dscp == cs1 ct mark set 0x01 oif $guestnic ip dscp == cs2 ct mark set 0x02 } chain postrouting { type filter hook postrouting priority 150; iif $guestnic ct mark == 0x01 ip dscp set cs1 iif $guestnic ct mark == 0x02 ip dscp set cs2 } }