The matching will be L3 based, but the copy can be of all the packet, I'd like to simply change the dest device of it. I can match by source device, I don't see why it's not logical to target a device as an action. And turning to "tc" is a nice alternative, and many things that can be done in *tables can be done in "tc", but I'd like to stay focused on netfilters as it is more flexible with the stage I insert my rules in the packet's flow. Pablo, in this case I need it to work not only on bridged devices, so ebtables is not a solution for me. On Wed, May 27, 2015 at 3:40 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, May 27, 2015 at 02:11:30PM +0200, Florian Westphal wrote: >> Eddi Linder <eddi@xxxxxxxxxxxxxx> wrote: >> > TEE is for gateway redirections, which means the redirected device has >> > to have a configured ip, and to be reachable from the original device. >> >> That makes no sense to me. The to-redirected device always needs to be >> reachable. And iptables is L3 and upwards, so I don't see how 1:1 >> copying would fit in here. >> >> > Florian, I didn't find the mirror target in the mainline documentation or code. >> >> I meant the tc action: >> >> tc filter add dev eth0 parent $parent protocol ip [..] action mirred egress redirect dev eth1 >> >> > REROUTE redirection is more like the openvswitch output action, copy >> > the packet from one device into another. >> >> Sorry, but my feeling is that this is out of scope for iptables. > > Agreed. > > There is an incomplete patch to add TEE support to nf_tables bridge > family. You only have to specify the destination device as Eddi needs. > > Another alternative is to add this TEE support to ebtables, which is > where this belongs. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
