On 2024-05-30 01:17, Kerin Millar wrote:
On Wed, 29 May 2024, at 10:07 AM,netfilter@xxxxxxxxxx wrote:
Hi guys I got kind of Man-In-Middle setup, where ubuntu based box is
correcting coordinates transferred thru wire.
This is old setup coming from age of iptables and ebtables. I tried to
move to nft command-line, but with no success. ebtables command works,
but nft does not. Note: box is running nftables with iptable and ebtable
interface.
When I convert ebtables command into nft rule, this rule never get hit,
while its ebtables equivalent does.
new wording: nft based rule is not executed as expected - it does not
drop bridged connection into box
nft version
# nft -V
nftables v1.0.2 (Lester Gooch)
script setting nft ruleset via nft and ebtables
#!/bin/bash
IP=*IP*
PORT=*PORT*
nft flush ruleset
nft -f - <<NFT
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
meta ibrname "*DEV*" ip daddr ${IP} ether type ip
tcp dport ${PORT} meta pkttype set host
}
}
....
NFT
# this rule does not work in NFT (yet?)
ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol
tcp --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
resulting ruleset, as you can see ebtables rule is hit, nft is not, when
I try to match rules word, by work, I usually get error
# nft list ruleset
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
meta ibrname "*DEV*" ip daddr *IP* ether type ip tcp
dport *PORT* meta pkttype set host
I note that "meta pkttype set host" isn't valid syntax, though your shell script has it right. Still, this rule has no counter. How can you be so sure that it isn't being hit? Could it perhaps be that it is hit, with processing continuing due to the absence of the "accept" keyword?
Thanks for response
1. you are right after adding counter I can see rule get hit, but does
nothing (next same table rule is executed, even it should be not, and
coordinate corrector is not connect if ebtables rule is not used.
2. 'meta pkttype set host' is only way i could make nft ruleset to
parse. Now when I try 'import' back rule as 'exported' thru nft list
ruleset, that is use: 'meta set pkttype host' i get error: 'Error:
syntax error, unexpected set', so seems export + import would not work here.
3. just tried to export to json format. nft rule and ebtables rule
differs. ebtables rule got one "xt": null in place of 'daddr' and
'dport' and other one in place of 'mangle'. Seems rules are not same
even when their list output is almost same. is it possible nftable
actually add rule on IP level instead of ethernet? In any case (and more
importantly) does anyone know how to fix it?
