Re: Duplicating packets 'dup' to host outside same subnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pablo,


El jue, 22-11-2018 a las 19:28 +0100, Pablo Neira Ayuso escribió:
> Hi Ricardo,
> 
> On Thu, Nov 22, 2018 at 03:17:27PM +0000, Ricardo Fraile wrote:
> > Hello,
> > 
> > Taking as starting point the following iptables rule, which replicates
> > the udp packets to other host, only if it is on the same subnet:
> > 
> > # iptables -t nat -A PREROUTING -i ens192 -p udp --dport 53 -j DNAT
> > --to-destination 192.168.1.2:53
> > 
> > The iptables documentation said about it: "The TEE target will clone a
> > packet and redirect this clone to another machine on the local network
> > segment."
> > 
> > There is the equivalent on nftables, documented on
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.nftables.org%2Fwiki-nftables%2Findex.php%2FDuplicating_packets&data=02%7C01%7C%7C13047070ef8e44361a3a08d650a84a37%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636785081066396846&sdata=0EyMvH8zRM49YPWTHnuJ2dlUh5fa%2FK962jnF8o6bkpM%3D&reserved=0
> > But there, there isn't any mention to the requirement that the host
> > needs to be on the same network segment, only said "to another remote
> > peer for further inspection".
> 
> We need to fix this, yes. This works like iptables does.
> 
> > I'm trying it but I only receive packets if the host is in the same
> > subnet, the same behaviour than iptables.
> > 
> > Does nftables can send packets to hosts outside the same network? or it
> > can't?
> > 
> > The sample code is the following:
> > 
> > 
> > echo "
> > 
> > table mangle {
> >         chain mangle {
> >                 type filter hook prerouting priority -300;
> >                 udp dport 53 counter dup to 192.168.1.2
> >         }
> > }
> > 
> > " | nft -f /dev/stdin
> 
> Would it help you if we have a way to encapsulate packets through
> ERSPAN [1]?
> 
> [1] https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-foschiano-erspan-00&data=02%7C01%7C%7C13047070ef8e44361a3a08d650a84a37%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636785081066396846&sdata=4hcLuAv5owrs0r%2BXPkJy1N1YTuBfuaq3z6QTxq2FBXI%3D&reserved=0


Thanks for the ERSPAN recomendation, but it doesn't fit in our
particular case.

This is the solution that I will follow:

1- Replicate packets from the target server to a satellite on the same
subnet.

2- From the satellite, redirect the traffic to the destination server
located on other subnet.


Regards,
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux