nftables / DHCP / NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi colleagues,

I need to gather information about user's connection/disconnection events, which I'm going to get from DHCP and Radius packets. For this I built the following topology:

[ network switch ] -> ERSPAN -> [ server: phy -> decaps -> br ]

where:
- phy is the physical interface, where I receive ERSPAN traffic (intf name: erspan)
- decaps is the decapsulation interface (intf name: inspan)
- br is the bridge interface, which decaps interface connected to (intf name: br0)

'decaps' interface is created using the following command:
ip link add inspan type erspan oseq key 10 local 10.171.165.65 erspan_ver 1

I'm going to filter packets which I'm interested in and send them to remote workers for further processing. The issue is that what works for Radius UDP packets, do not work for all DHCP packets.

The configuration of nftables is the following:

table netdev inspan {
    chain rewrit {
        # Drop everything except Radius Accounting and DHCP packets
        type filter hook ingress device "inspan" priority filter; policy drop;

        # DHCP-NAT is LB-capable
        # 96:9f:7c:d3:c3:66 is br0's mac address (local MAC)
        iifname "inspan" udp dport 67 \
        meta pkttype set other \
        ether daddr set 96:9f:7c:d3:c3:66 \
        udp dport set 10067 \
        counter accept

#        # DHCP-Redirect is not LB-capable
#        iifname "inspan" udp dport 67 \
#        meta pkttype set other \
#        ether daddr set 96:9f:7c:d3:c3:66 \
#        ip daddr set 100.64.0.15 \
#        udp dport set 10067 \
#        udp sport set 10067 \
#        ip saddr set 100.64.0.66 \
#        counter accept

        # Radius-NAT is LB-capable
        iifname "inspan" udp dport 1813 \
        meta pkttype set other \
        ether daddr set 96:9f:7c:d3:c3:66 \
        udp dport set 11813 \
        accept
    }
}

table ip todos {
    chain enat {
        type nat hook prerouting priority dstnat;
        udp dport 10067 counter dnat to 100.64.0.15:10067
        udp dport 11813 counter dnat to 100.64.0.15:11813
    }
}

What I have with this configuration:
- everything works for ingress UDP/1813 (Radius-NAT) - packets catched, NATed and, thus, can be seen on remote side, so configuration itself is proper - if using DHCP-Redirect rule (UDP/67) - it works as well, but I want to use LB to distribute load between few workers, so NAT configuration is needed
- but if using DHCP-NAT rule, some packets are NATed, while some - not

What I see when using DHCP-NAT is below. Please note the following:
- DHCP Discover/Request/Release/Inform are NATed and sent to 100.64.0.15
- DHCP ACK/Offer (this is, actually, what is important for me) are never NATed and travel to original destination

  573 2.297260611 x.x.199.117 → x.x.184.1  DHCP 372 DHCP ACK - Transaction ID 0x51357ac3   574 2.307641833 x.x.199.128 → x.x.64.1   DHCP 363 DHCP ACK - Transaction ID 0x55455118   575 2.312455678 x.x.199.142 → x.x.168.1  DHCP 369 DHCP Offer - Transaction ID 0x4852f832   576 2.312562847    x.x.0.1 → 100.64.0.15  DHCP 639 DHCP Request - Transaction ID 0xd4283bc5   577 2.317474129 x.x.203.247 → 100.64.0.15  DHCP 347 DHCP Release  - Transaction ID 0x0   578 2.317598577   x.x.64.1 → 100.64.0.15  DHCP 635 DHCP Request - Transaction ID 0x5bf56c28   579 2.322754139 x.x.199.128 → x.x.0.1    DHCP 369 DHCP ACK - Transaction ID 0xd4283bc5   580 2.327509793  x.x.160.1 → 100.64.0.15  DHCP 640 DHCP Request - Transaction ID 0x3072d524   581 2.332498442  x.x.160.1 → 100.64.0.15  DHCP 640 DHCP Request - Transaction ID 0x3072d524   582 2.332599118 x.x.199.128 → x.x.64.1   DHCP 365 DHCP ACK - Transaction ID 0x5bf56c28   583 2.337591370 x.x.199.117 → x.x.160.1  DHCP 370 DHCP ACK - Transaction ID 0x3072d524   584 2.352502648  x.x.136.1 → 100.64.0.15  DHCP 387 DHCP Discover - Transaction ID 0x30e3   589 2.367725851 x.x.199.117 → x.x.136.1  DHCP 365 DHCP Offer - Transaction ID 0x30e3   590 2.367751479  x.x.244.1 → 100.64.0.15  DHCP 375 DHCP Discover - Transaction ID 0x503f282d   591 2.372640571 x.x.199.142 → x.x.136.1  DHCP 365 DHCP Offer - Transaction ID 0x30e3   592 2.372723897  x.x.240.1 → 100.64.0.15  DHCP 381 DHCP Request - Transaction ID 0xba32317d   593 2.380136607   x.x.64.1 → 100.64.0.15  DHCP 345 DHCP Request - Transaction ID 0x559d5794   605 2.433146783   x.x.8.37 → 100.64.0.15  DHCP 640 DHCP Inform - Transaction ID 0x545550c5   613 2.448425667 x.x.85.181 → 100.64.0.15  DHCP 365 DHCP Release - Transaction ID 0x0

The question - what I'm doing wrong?

Environment:
- OS: Ubuntu 22.04
- Linux 6.5.0-060500-generic #202308271831 SMP PREEMPT_DYNAMIC Sun Aug 27 22:37:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Thank you.

--
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux