Hi Pablo,
Thanks a lot for your reply.
On 3/6/24 19:17, Pablo Neira Ayuso wrote:
> On Wed, Mar 06, 2024 at 04:43:02PM +0100, Daniel Mack wrote:
>> Hi,
>>
>> I am using the NFT egress hook in a netdev table with 'set' statements
>> to adjust the source MAC and IP addresses before duplicating packets to
>> another interface:
>>
>> table netdev dummy {
>> chain egress {
>> type filter hook egress device "dummy" priority 0;
>> ether type ip ether saddr set 01:02:03:04:05:06 ip saddr set 1.1.1.1
>> dup to "eth0"
>> }
>> }
>
> Is this a dummy device created via: ip link add dummy type dummy or
> just a coincidence?
Yes, it's a dummy device. I'm using the egress netdev hook here because
it is executed before the device's .ndo_start_xmit() is called.
>> The modification of the sender's MAC address works fine. However, the
>> adjustment of the source IP is applied at the wrong offset. The octets
>> in the raw packet that are being modified are 13 and 14, which would be
>> the correct offset within an IP header, but it seems that the prefixed
>> Ethernet header is not taken into account.
>>
>> For the same reason, attempting to filter based on any details beyond
>> the Ethernet header also fails. The following rule does not match any
>> packets, even though there is a significant amount of UDP traffic:
>>
>> table netdev dummy {
>> chain egress {
>> type filter hook egress device "dummy" priority 0;
>> ether type ip ip protocol udp dup to "eth0"
>> }
>> }
>>
>> At this point, I'm not sure where to start digging to be honest and
>> would appreciate any guidance on how to resolve this issue.
>
> I guess you are running a kernel with
>
> commit 0ae8e4cca78781401b17721bfb72718fdf7b4912
> Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Date: Thu Dec 14 11:50:12 2023 +0100
>
> netfilter: nf_tables: set transport offset from mac header for netdev/egress
>
> so this is a different bug?
Interesting, I did in fact run a 6.4 production kernel when I tried
this, and that didn't have that patch applied. Sorry for that oversight.
On 6.7, what I see is different but still broken:
This rules does the right thing and patches the source MAC correctly:
table netdev dummy {
chain egress {
type filter hook egress device dummy priority 0;
ether saddr set 1:2:3:4:5:6 dup to eth0
}
}
Whereas trying to patch the IP source addr leads to no packets being
forwarded at all anymore:
table netdev dummy {
chain egress {
type filter hook egress device dummy priority 0;
ip saddr set 1.1.1.1 dup to eth0
}
}
Interestingly, ether type filtering is also broken now, the following
also doesn't match any packets:
table netdev dummy {
chain egress {
type filter hook egress device dummy priority 0;
ether type ip dup to eth0
}
}
I browsed through the patches since 6.7 and couldn't find anything that
is related. Did I miss anything?
Best regards,
Daniel
