Hi Volodymyr, On Mon, Oct 30, 2023 at 11:20:55PM +0100, Volodymyr Litovka wrote: > Hi Pablo, > > On 10/30/23 09:41, Pablo Neira Ayuso wrote: > > Then, to forward packets to some other box from the 'netdev' family, > > use the 'fwd' statement: > > > > udp dport 67 udp dport set 10067 counter fwd to 100.64.0.66 device "eth0" > > > > This rule above is mangling your UDP destination port from 67 to > > 10067, then it send the packet to 100.64.0.66 and device "eth0". The > > destination MAC address is updated by the neighbour layer so you do > > not have to bother with "ether daddr set ..." > > This works, thanks. But - all packets are duplicated :) I see no duplicates, see below. > If I run on the receiving host the command (in short - extract what I'm > interested in) > > tshark -i enp1s0 -l -f 'port 10067 and ether[42:1]==2' -d > udp.port=10067,dhcp -V -Y 'dhcp.option.dhcp==5' -V -E "separator=|" -E > "quote=n" -E "occurrence=a" -T fields -e > "dhcp.option.agent_information_option.value" -e "dhcp.ip.client" > > then when using the old version of rules (just to check and compare) - > udp dport 67 meta pkttype set other ether daddr set 96:9f:7c:d3:c3:66 ip > daddr set 100.64.0.15 udp dport set 10067 counter accept > > then tshark shows everything is ok, but if using - > udp dport 67 udp dport set 10067 counter fwd ip to 100.64.0.15 device enp1s0 I had to cleanup your snippet, it contains non-breaking space (0xc2 0x0a) which makes the parser unhappy: test.nft:2:1-1: Error: syntax error, unexpected junk chain rewrit { ^ This is the cleaned up result: table netdev inspan { chain rewrit { type filter hook ingress device "inspan" priority filter; policy drop; udp dport 67 udp dport set 10067 counter packets 9510 bytes 4137201 fwd ip to 100.64.0.15 device "enp1s0" } } > then every packet (same running tshark) is duplicated: > > 64702...31333430|x.x.x2.238 > 64702...31333430|x.x.x2.238 I suspect this shows the packet coming in (ingress) and coming out (egress) on the same device. I can see this in tcpdump, I made a similar ruleset that matches on udp dport 8000, it mangles it to udp 8888 and forwards it to the same device: 14:52:32.753056 IP 192.168.210.137.51820 > 192.168.210.130.8000: UDP, length 4 14:52:32.753149 IP 192.168.210.137.51820 > 192.168.210.130.8888: UDP, length 4 The first packet is the packet shown by tcpdump at ingress, the second packet is the packet that is forwarded and tcpdump shows it at egress. On the collector, I can see one single packet with UDP port 8888. > Any ideas why this can happen? I think what you observe from tshark / tcpdump is the packet at ingress and then (being reflected) at egress.