Hi colleagues,
I need to gather information about user's connection/disconnection
events, which I'm going to get from DHCP and Radius packets. For this I
built the following topology:
[ network switch ] -> ERSPAN -> [ server: phy -> decaps -> br ]
where:
- phy is the physical interface, where I receive ERSPAN traffic (intf
name: erspan)
- decaps is the decapsulation interface (intf name: inspan)
- br is the bridge interface, which decaps interface connected to (intf
name: br0)
'decaps' interface is created using the following command:
ip link add inspan type erspan oseq key 10 local 10.171.165.65 erspan_ver 1
I'm going to filter packets which I'm interested in and send them to
remote workers for further processing. The issue is that what works for
Radius UDP packets, do not work for all DHCP packets.
The configuration of nftables is the following:
table netdev inspan {
chain rewrit {
# Drop everything except Radius Accounting and DHCP packets
type filter hook ingress device "inspan" priority filter;
policy drop;
# DHCP-NAT is LB-capable
# 96:9f:7c:d3:c3:66 is br0's mac address (local MAC)
iifname "inspan" udp dport 67 \
meta pkttype set other \
ether daddr set 96:9f:7c:d3:c3:66 \
udp dport set 10067 \
counter accept
# # DHCP-Redirect is not LB-capable
# iifname "inspan" udp dport 67 \
# meta pkttype set other \
# ether daddr set 96:9f:7c:d3:c3:66 \
# ip daddr set 100.64.0.15 \
# udp dport set 10067 \
# udp sport set 10067 \
# ip saddr set 100.64.0.66 \
# counter accept
# Radius-NAT is LB-capable
iifname "inspan" udp dport 1813 \
meta pkttype set other \
ether daddr set 96:9f:7c:d3:c3:66 \
udp dport set 11813 \
accept
}
}
table ip todos {
chain enat {
type nat hook prerouting priority dstnat;
udp dport 10067 counter dnat to 100.64.0.15:10067
udp dport 11813 counter dnat to 100.64.0.15:11813
}
}
What I have with this configuration:
- everything works for ingress UDP/1813 (Radius-NAT) - packets catched,
NATed and, thus, can be seen on remote side, so configuration itself is
proper
- if using DHCP-Redirect rule (UDP/67) - it works as well, but I want to
use LB to distribute load between few workers, so NAT configuration is
needed
- but if using DHCP-NAT rule, some packets are NATed, while some - not
What I see when using DHCP-NAT is below. Please note the following:
- DHCP Discover/Request/Release/Inform are NATed and sent to 100.64.0.15
- DHCP ACK/Offer (this is, actually, what is important for me) are never
NATed and travel to original destination
573 2.297260611 x.x.199.117 → x.x.184.1 DHCP 372 DHCP ACK -
Transaction ID 0x51357ac3
574 2.307641833 x.x.199.128 → x.x.64.1 DHCP 363 DHCP ACK -
Transaction ID 0x55455118
575 2.312455678 x.x.199.142 → x.x.168.1 DHCP 369 DHCP Offer -
Transaction ID 0x4852f832
576 2.312562847 x.x.0.1 → 100.64.0.15 DHCP 639 DHCP Request -
Transaction ID 0xd4283bc5
577 2.317474129 x.x.203.247 → 100.64.0.15 DHCP 347 DHCP Release -
Transaction ID 0x0
578 2.317598577 x.x.64.1 → 100.64.0.15 DHCP 635 DHCP Request -
Transaction ID 0x5bf56c28
579 2.322754139 x.x.199.128 → x.x.0.1 DHCP 369 DHCP ACK -
Transaction ID 0xd4283bc5
580 2.327509793 x.x.160.1 → 100.64.0.15 DHCP 640 DHCP Request -
Transaction ID 0x3072d524
581 2.332498442 x.x.160.1 → 100.64.0.15 DHCP 640 DHCP Request -
Transaction ID 0x3072d524
582 2.332599118 x.x.199.128 → x.x.64.1 DHCP 365 DHCP ACK -
Transaction ID 0x5bf56c28
583 2.337591370 x.x.199.117 → x.x.160.1 DHCP 370 DHCP ACK -
Transaction ID 0x3072d524
584 2.352502648 x.x.136.1 → 100.64.0.15 DHCP 387 DHCP Discover -
Transaction ID 0x30e3
589 2.367725851 x.x.199.117 → x.x.136.1 DHCP 365 DHCP Offer -
Transaction ID 0x30e3
590 2.367751479 x.x.244.1 → 100.64.0.15 DHCP 375 DHCP Discover -
Transaction ID 0x503f282d
591 2.372640571 x.x.199.142 → x.x.136.1 DHCP 365 DHCP Offer -
Transaction ID 0x30e3
592 2.372723897 x.x.240.1 → 100.64.0.15 DHCP 381 DHCP Request -
Transaction ID 0xba32317d
593 2.380136607 x.x.64.1 → 100.64.0.15 DHCP 345 DHCP Request -
Transaction ID 0x559d5794
605 2.433146783 x.x.8.37 → 100.64.0.15 DHCP 640 DHCP Inform -
Transaction ID 0x545550c5
613 2.448425667 x.x.85.181 → 100.64.0.15 DHCP 365 DHCP Release -
Transaction ID 0x0
The question - what I'm doing wrong?
Environment:
- OS: Ubuntu 22.04
- Linux 6.5.0-060500-generic #202308271831 SMP PREEMPT_DYNAMIC Sun Aug
27 22:37:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison