On Wed, 29 May 2024, at 10:07 AM, netfilter@xxxxxxxxxx wrote:
> I guys I got kind of Man-In-Middle setup, where ubuntu based box is
> correcting coordinates transferred thru wire.
>
> This is old setup coming from age of iptables and ebtables. I tried to
> move to nft command-line, but with no success. ebtables command works,
> but nft does not. Note: box is running nftables with iptable and ebtable
> interface.
>
> When I convert ebtables command into nft rule, this rule never get hit,
> while its ebtables equivalent does.
>
> nft version
>
> # nft -V
> nftables v1.0.2 (Lester Gooch)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
>
>
> script setting nft ruleset via nft and ebtables
>
> #!/bin/bash
> IP=*IP*
> PORT=*PORT*
>
> nft flush ruleset
> nft -f - <<NFT
> table bridge nat {
> chain PREROUTING {
> type filter hook prerouting priority dstnat; policy accept;
> meta ibrname "*DEV*" ip daddr ${IP} ether type ip
> tcp dport ${PORT} meta pkttype set host
> }
> }
> ....
> NFT
> # this rule does not work in NFT (yet?)
> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol
> tcp --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
>
>
> resulting ruleset, as you can see ebtables rule is hit, nft is not, when
> I try to match rules word, by work, I usually get error
>
> # nft list ruleset
> table bridge nat {
> chain PREROUTING {
> type filter hook prerouting priority dstnat; policy accept;
> meta ibrname "*DEV*" ip daddr *IP* ether type ip tcp
> dport *PORT* meta pkttype set host
I note that "meta pkttype set host" isn't valid syntax, though your shell script has it right. Still, this rule has no counter. How can you be so sure that it isn't being hit? Could it perhaps be that it is hit, with processing continuing due to the absence of the "accept" keyword?
--
Kerin Millar
