El mar, 7 jun 2022 a las 11:14, Shirisha Dasari (<shirishadasari@xxxxxxxxx>) escribió: > > Hi, > > I need some help to understand if IP DNAT can be achieved on bridged > packets (IP packets arriving on a bridge port). The packets first need > to undergo DMAC NAT in the bridge filter layer of Netfilter and then > also need to undergo IP DNAT. This is because I need to have the > incoming bridged IP packets redirected to a local process. > > From my experimentation so far, I'm only able to have the packet > undergo DMAC NAT using bridge NF rules but these packets do not hit > the ingress L3 stack prerouting chains. The packets undergo DMAC NAT > and are redirected to the bridge INPUT chain from where they undergo > routing lookup directly and take appropriate route to be forwarded. I > however need to NAT the DIP before the routing lookup happens. From > https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks, > http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg, > I feel the packet should have hit the IP PREROUTING chain and > undergone NAT but this doesn't happen in my case. > > I've already tried the following: > > 1) net.bridge.bridge-nf-call-iptables = 1. > The packets still do not hit the L3 IP NAT PREROUTING chain still. > > 2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables > rules added via ebtables-legacy do not get hit at all. > > 3) The packet seems to be hitting the inet chains but I cannot add a > NAT rule in the inet chain as this support is only available in the > later kernels. > > Some info about the system I'm trying this on: > root@sonic:/home/admin# uname -a > Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1 > (2020-06-07) x86_64 GNU/Linux > > root@sonic:/home/admin# ebtables -V > ebtables 1.8.2 (nf_tables) > root@sonic:/home/admin# ebtables-legacy -V > ebtables v2.0.10.4 (legacy) (December 2011) > > Following are the rules in my nftables and the trace of the packet > traversing nftables: > > table bridge filter { > chain PREROUTING { > type filter hook prerouting priority > -300; policy accept; > tcp dport http ip saddr 10.10.10.10 > ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0 > } > > chain trace_chain { > type filter hook prerouting priority > -301; policy accept; > nftrace set 1 > } > } > > root@sonic:/home/admin# nft list table nat > table ip nat { > chain PREROUTING { > type nat hook prerouting priority -100; policy accept; > } > > chain INPUT { > type nat hook input priority 100; policy accept; > } > > chain POSTROUTING { > type nat hook postrouting priority 100; policy accept; > meta l4proto udp udp dport 53 counter packets 0 bytes > 0 jump DNS_SNAT_RULE > } > > chain OUTPUT { > type nat hook output priority -100; policy accept; > } > > chain DOCKER { > } > > chain DNS_SNAT_RULE { > } > > chain redir { > type nat hook prerouting priority -101; policy accept; > ip saddr 10.10.10.10 tcp dport { http, https } counter > packets 0 bytes 0 dnat to 60.60.60.60 > } > } > > Packet trace: > > packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr > 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr > 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2 > ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp > flags == 0x0 tcp window 0 > trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip > saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52 > bytes 4264 (verdict continue) > trace id e19ef0d4 bridge filter PREROUTING verdict continue > trace id e19ef0d4 bridge filter PREROUTING > trace id e19ef0d4 bridge filter INPUT verdict continue > trace id e19ef0d4 bridge filter INPUT > trace id 00027106 ip filter FORWARD verdict continue > trace id 00027106 ip filter FORWARD > > Thanks, > Shirisha. I took this from the nftables wiki: > If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain you can add another chain with the PREROUTING hook but later priority and do the IP DNAT there. -- Maximiliano Estudies VDT Referat Beschallung +49 176 36784771 omslo.com maxiestudies.com