netfilter@xxxxxxxxxx <netfilter@xxxxxxxxxx> wrote:
> I guys I got kind of Man-In-Middle setup, where ubuntu based box is
> correcting coordinates transferred thru wire.
>
> This is old setup coming from age of iptables and ebtables. I tried to move
> to nft command-line, but with no success. ebtables command works, but nft
> does not. Note: box is running nftables with iptable and ebtable interface.
>
> When I convert ebtables command into nft rule, this rule never get hit,
> while its ebtables equivalent does.
>
> nft version
>
> # nft -V
> nftables v1.0.2 (Lester Gooch)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
>
>
> script setting nft ruleset via nft and ebtables
>
> #!/bin/bash
> IP=*IP*
> PORT=*PORT*
>
> nft flush ruleset
> nft -f - <<NFT
> table bridge nat {
> chain PREROUTING {
> type filter hook prerouting priority dstnat; policy accept;
> meta ibrname "*DEV*" ip daddr ${IP} ether type ip tcp
> dport ${PORT} meta pkttype set host
> }
> }
> ....
> NFT
> # this rule does not work in NFT (yet?)
> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol tcp
> --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
-j redirect mangles ethernet destination address to that of bridge
device.
See this example from nft(8):
# assumes 00:11:22:33:44:55 is local MAC address.
bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
