Hi Pablo,
On 10/30/23 09:41, Pablo Neira Ayuso wrote:
iifname "inspan" ...
is not really required, because you chain is already hooked at
"inspan" device see your chain declaration:
thanks for that.
Then, to forward packets to some other box from the 'netdev' family,
use the 'fwd' statement:
udp dport 67 udp dport set 10067 counter fwd to 100.64.0.66 device "eth0"
This rule above is mangling your UDP destination port from 67 to
10067, then it send the packet to 100.64.0.66 and device "eth0". The
destination MAC address is updated by the neighbour layer so you do
not have to bother with "ether daddr set ...".
the basic idea of this construction is to use later load balancing
(https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing)
between multiple destinations, in the section
table ip todos {
chain enat {
type nat hook prerouting priority dstnat;
udp dport 10067 counter dnat to 100.64.0.15:10067
udp dport 11813 counter dnat to 100.64.0.15:11813
}
}
so on the first step (netdev) I'm setting dst mac to local (so packet
will not be dropped as "alien", because I receive on this box mirrored
(SPAN) traffic, where dst mac is not this box) and then load-balance it
between multiple destinations using NAT/LB. As far as I understand,
'fwd' is for forwarding to a single destination.
I will appreciate any suggestion on how to solve this task - either fix
what I'm trying to do or using another way :-)
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
