Re: ebtables rule rewriten to nft 'set host' does not work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 2024-05-30 15:10, Florian Westphal wrote:

netfilter@xxxxxxxxxx <netfilter@xxxxxxxxxx> wrote:

Hi guys I got kind of Man-In-Middle setup, where ubuntu based box is
correcting coordinates transferred thru wire.

This is old setup coming from age of iptables and ebtables. I tried to move
to nft command-line, but with no success. ebtables command works, but nft
does not. Note: box is running nftables with iptable and ebtable interface.

When I convert ebtables command into nft rule, this rule never get hit,
while its ebtables equivalent does.

nft version

# nft -V
nftables v1.0.2 (Lester Gooch)


script setting nft ruleset via nft and ebtables

#!/bin/bash
IP=*IP*
PORT=*PORT*

nft flush ruleset
nft -f - <<NFT
table bridge nat {
         chain PREROUTING {
                 type filter hook prerouting priority dstnat; policy accept;
                 meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  tcp
dport ${PORT}  meta pkttype set host
         }
}
....
NFT
# this rule does not work in NFT (yet?)
ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol tcp
--ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT

-j redirect mangles ethernet destination address to that of bridge
device.

See this example from nft(8):

  # assumes 00:11:22:33:44:55 is local MAC address.
  bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
    80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
explanation seems to make sense. When this project started - some decade ago - I used ebtables ...-j DROP what was meant to move packet/connection from bridge into routing. Getting MAC address may get tricky, but doable, as bridge may have dynamic MAC, fortunaly not my case. Still need to get MAC from bridge, to have one script for all installations.
I don't know how I may missed that in manual. Unfortunately, copy pasted example does not parse.
# nft bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55 

Error: syntax error, unexpected meta, expecting string
bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55 


I will try to poke with it and let you know If I do succeed.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux