On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e.
ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \
-j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT
I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument.
table bridge filter {
chain POSTROUTING {
type filter hook postrouting priority 0; policy accept;
ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e
}
}
My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e?
$ tcpdump -enni any arp or icmp
12:39:08.525439 vb-p0 P ifindex 5 aa:18:f0:55:79:1e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28
12:39:08.525441 ens192 Out ifindex 2 00:50:56:96:12:5e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28
