Re: IP DNAT on bridged packets destined to local process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El mar, 7 jun 2022 a las 11:14, Shirisha Dasari
(<shirishadasari@xxxxxxxxx>) escribió:
>
>   Hi,
>
> I need some help to understand if IP DNAT can be achieved on bridged
> packets (IP packets arriving on a bridge port). The packets first need
> to undergo DMAC NAT in the bridge filter layer of Netfilter and then
> also need to undergo IP DNAT. This is because I need to have the
> incoming bridged IP packets redirected to a local process.
>
> From my experimentation so far, I'm only able to have the packet
> undergo DMAC NAT using bridge NF rules but these packets do not hit
> the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
> and are redirected to the bridge INPUT chain from where they undergo
> routing lookup directly and take appropriate route to be forwarded. I
> however need to NAT the DIP before the routing lookup happens.  From
> https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
> http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
> https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
> I feel the packet should have hit the IP PREROUTING chain and
> undergone NAT but this doesn't happen in my case.
>
> I've already tried the following:
>
> 1)  net.bridge.bridge-nf-call-iptables = 1.
> The packets still do not hit the L3 IP NAT PREROUTING chain still.
>
> 2) ebtables rules to BROUTE the packet to the L3 layer.  My ebtables
> rules added via ebtables-legacy do not get hit at all.
>
> 3) The packet seems to be hitting the inet chains but I cannot add a
> NAT rule in the inet chain as this support is only available in the
> later kernels.
>
> Some info about the system I'm trying this on:
> root@sonic:/home/admin# uname -a
> Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
> (2020-06-07) x86_64 GNU/Linux
>
> root@sonic:/home/admin# ebtables -V
> ebtables 1.8.2 (nf_tables)
> root@sonic:/home/admin# ebtables-legacy -V
> ebtables v2.0.10.4 (legacy) (December 2011)
>
> Following are the rules in my nftables and the trace of the packet
> traversing nftables:
>
> table bridge filter {
>                chain PREROUTING {
>                                   type filter hook prerouting priority
> -300; policy accept;
>                                   tcp dport http ip saddr 10.10.10.10
> ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
>                 }
>
>                chain trace_chain {
>                                  type filter hook prerouting priority
> -301; policy accept;
>                                  nftrace set 1
>                 }
> }
>
> root@sonic:/home/admin# nft list table nat
> table ip nat {
>         chain PREROUTING {
>                 type nat hook prerouting priority -100; policy accept;
>         }
>
>         chain INPUT {
>                 type nat hook input priority 100; policy accept;
>         }
>
>         chain POSTROUTING {
>                 type nat hook postrouting priority 100; policy accept;
>                 meta l4proto udp udp dport 53 counter packets 0 bytes
> 0 jump DNS_SNAT_RULE
>         }
>
>         chain OUTPUT {
>                 type nat hook output priority -100; policy accept;
>         }
>
>         chain DOCKER {
>         }
>
>         chain DNS_SNAT_RULE {
>         }
>
>         chain redir {
>                type nat hook prerouting priority -101; policy accept;
>                ip saddr 10.10.10.10 tcp dport { http, https } counter
> packets 0 bytes 0 dnat to 60.60.60.60
>         }
> }
>
> Packet trace:
>
> packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
> 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
> 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
> ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
> flags == 0x0 tcp window 0
> trace id e19ef0d4 bridge filter PREROUTING rule  tcp dport http ip
> saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
> bytes 4264  (verdict continue)
> trace id e19ef0d4 bridge filter PREROUTING verdict continue
> trace id e19ef0d4 bridge filter PREROUTING
> trace id e19ef0d4 bridge filter INPUT verdict continue
> trace id e19ef0d4 bridge filter INPUT
> trace id 00027106 ip filter FORWARD verdict continue
> trace id 00027106 ip filter FORWARD
>
> Thanks,
> Shirisha.

I took this from the nftables wiki:
> If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain
you can add another chain with the PREROUTING hook but later priority
and do the IP DNAT there.

-- 
Maximiliano Estudies
VDT Referat Beschallung
+49 176 36784771
omslo.com
maxiestudies.com




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux