Hi Ricardo, On Thu, Nov 22, 2018 at 03:17:27PM +0000, Ricardo Fraile wrote: > Hello, > > Taking as starting point the following iptables rule, which replicates > the udp packets to other host, only if it is on the same subnet: > > # iptables -t nat -A PREROUTING -i ens192 -p udp --dport 53 -j DNAT > --to-destination 192.168.1.2:53 > > The iptables documentation said about it: "The TEE target will clone a > packet and redirect this clone to another machine on the local network > segment." > > There is the equivalent on nftables, documented on > https://wiki.nftables.org/wiki-nftables/index.php/Duplicating_packets > But there, there isn't any mention to the requirement that the host > needs to be on the same network segment, only said "to another remote > peer for further inspection". We need to fix this, yes. This works like iptables does. > I'm trying it but I only receive packets if the host is in the same > subnet, the same behaviour than iptables. > > Does nftables can send packets to hosts outside the same network? or it > can't? > > The sample code is the following: > > > echo " > > table mangle { > chain mangle { > type filter hook prerouting priority -300; > udp dport 53 counter dup to 192.168.1.2 > } > } > > " | nft -f /dev/stdin Would it help you if we have a way to encapsulate packets through ERSPAN [1]? [1] https://tools.ietf.org/html/draft-foschiano-erspan-00
