Re: ebtables rule rewriten to nft 'set host' does not work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



netfilter@xxxxxxxxxx <netfilter@xxxxxxxxxx> wrote:
> I guys I got kind of Man-In-Middle setup, where ubuntu based box is
> correcting coordinates transferred thru wire.
> 
> This is old setup coming from age of iptables and ebtables. I tried to move
> to nft command-line, but with no success. ebtables command works, but nft
> does not. Note: box is running nftables with iptable and ebtable interface.
> 
> When I convert ebtables command into nft rule, this rule never get hit,
> while its ebtables equivalent does.
> 
> nft version
> 
> # nft -V
> nftables v1.0.2 (Lester Gooch)
>   cli:          editline
>   json:         yes
>   minigmp:      no
>   libxtables:   yes
> 
> 
> script setting nft ruleset via nft and ebtables
> 
> #!/bin/bash
> IP=*IP*
> PORT=*PORT*
> 
> nft flush ruleset
> nft -f - <<NFT
> table bridge nat {
>         chain PREROUTING {
>                 type filter hook prerouting priority dstnat; policy accept;
>                 meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  tcp
> dport ${PORT}  meta pkttype set host
>         }
> }
> ....
> NFT
> # this rule does not work in NFT (yet?)
> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol tcp
> --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT

-j redirect mangles ethernet destination address to that of bridge
device.

See this example from nft(8):

 # assumes 00:11:22:33:44:55 is local MAC address.
 bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
   80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux