The NAT function is included in ebtables (although it is very simple, but it is better than nothing), but I did not find the corresponding function in nftables. In ebtables there is only static NAT, no Masquerading, we can implement it in nftables Implementing dynamic MAC NAT is very simple. We can use the IP address as an identifier to convert the corresponding MAC. It is also simple to maintain the conversion table. It is similar to the FIB of the switch, automatically learns, and the entries are discarded when timeout. In MAC NAT is : IP -> MAC. In the FIB of the switch is : MAC -> Dev Port. In IPv4 NAT is : TCP Port -> IP. This is easy to understand. src: 192.168.1.50 src: 192.168.1.50 dst: 192.168.1.100 dst: 192.168.1.100 ----------------- -> Bridge -> ----------------- src MAC: Host A src MAC: Bridge dst MAC: Host B dst MAC: Host B Now NAT learned that the MAC corresponding to 192.168.1.50 is Host A. src: 192.168.1.100 src: 192.168.1.100 dst: 192.168.1.50 dst: 192.168.1.50 ----------------- <- Bridge <- ----------------- src MAC: Host B src MAC: Host B dst MAC: Host A dst MAC: Bridge Host A does not know the existence of NAT at all. Maybe you want to ask me now, why do you want to do this, the bridge can completely forward the data frame directly? But the reality is that it makes people feel a headache. In some cases, a device port can only correspond to one source MAC address. If a normal switch requires multiple source MAC addresses, the network cannot be used! Like those with security-restricted switches, or like wireless networks (when WDS is not supported), only a single source MAC can be used. Dynamic MAC NAT is very important in these situations!
