Hi Benno,
Yes, this is used to match tcp and udp in the same rule.
It is described in the official wiki at the end of this page:
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers
I tried using dnat and it didn't work either.
nft add rule inet nat PREROUTING iifname "$LAN" meta l4proto {tcp, udp}
th dport 53 counter dnat ip6 to fd00:ffff:fffe:100::1:53 comment
Redirect-DNS
nft list ruleset
table inet nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "br0" meta l4proto { tcp, udp } th dport 53
counter packets 1 bytes 138 dnat ip6 to fd00:ffff:fffe:100::1:53 comment
"Redirect-DNS"
I tried using ip6tables and it didn't work either. Several people in
google searches have successfully achieved using ip6tables.
Rules are the same for ipv4 and ipv6, except ipv4 has masquerade. I
created masquerade for ipv6 and it didn't work either..
All packages are the latest version:
root@router:~# nft --version
nftables v1.0.5 (Lester Gooch #4)
root@router:~# ip6tables --version
ip6tables v1.8.8 (nf_tables)
root@router:~# modinfo nf_conntrack
filename: /lib/modules/5.19.0-1-amd64/kernel/net/netfilter/nf_conntrack.ko
license: GPL
alias: nf_conntrack-10
alias: nf_conntrack-2
alias: ip_conntrack
depends: nf_defrag_ipv4,nf_defrag_ipv6,libcrc32c
retpoline: Y
intree: Y
name: nf_conntrack
vermagic: 5.19.0-1-amd64 SMP preempt mod_unload modversions
I really appreciate if anyone can help me.
hugs,
Bruno.
Em 24/09/2022 03:18, Benno escreveu:
l4proto?
Am 24.09.22 um 00:07 schrieb Bruno Meirelles:
Hi friends,
[…]
nft add rule inet nat PREROUTING iifname "$LAN" meta l4proto {tcp, udp}
th dport 53 counter redirect to :53 comment Redirect-DNS
In ipv4 traffic, the rule works perfectly. In ipv6 traffic I do not
receive a response.
[…]
Thanks,
Bruno.
