I guys I got kind of Man-In-Middle setup, where ubuntu based box is
correcting coordinates transferred thru wire.
This is old setup coming from age of iptables and ebtables. I tried to
move to nft command-line, but with no success. ebtables command works,
but nft does not. Note: box is running nftables with iptable and ebtable
interface.
When I convert ebtables command into nft rule, this rule never get hit,
while its ebtables equivalent does.
nft version
# nft -V
nftables v1.0.2 (Lester Gooch)
cli: editline
json: yes
minigmp: no
libxtables: yes
script setting nft ruleset via nft and ebtables
#!/bin/bash
IP=*IP*
PORT=*PORT*
nft flush ruleset
nft -f - <<NFT
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
meta ibrname "*DEV*" ip daddr ${IP} ether type ip
tcp dport ${PORT} meta pkttype set host
}
}
....
NFT
# this rule does not work in NFT (yet?)
ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol
tcp --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
resulting ruleset, as you can see ebtables rule is hit, nft is not, when
I try to match rules word, by work, I usually get error
# nft list ruleset
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
meta ibrname "*DEV*" ip daddr *IP* ether type ip tcp
dport *PORT* meta pkttype set host
meta ibrname "*DEV*" ether type ip ip daddr *IP* tcp
dport *PORT* counter packets 14011 bytes 977273 meta set pkttype host
}
}
Is it supported? If so, what is correct nft rule definition?
Thanks
Oto
