On 2024-05-30 15:10, Florian Westphal wrote:
netfilter@xxxxxxxxxx <netfilter@xxxxxxxxxx> wrote:
I guys I got kind of Man-In-Middle setup, where ubuntu based box is
correcting coordinates transferred thru wire.
This is old setup coming from age of iptables and ebtables. I tried
to move
to nft command-line, but with no success. ebtables command works, but nft
does not. Note: box is running nftables with iptable and ebtable
interface.
When I convert ebtables command into nft rule, this rule never get hit,
while its ebtables equivalent does.
-j redirect mangles ethernet destination address to that of bridge
device.
See this example from nft(8):
# assumes 00:11:22:33:44:55 is local MAC address.
bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
after some tweaking I come up with working version:
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
meta iifname *NICDEV* ip daddr *IP* tcp dport *PORT*
meta pkttype set unicast counter ether daddr set *MAC* # for specific
bridge port
meta ibrname *BRDEV* ip daddr *IP* tcp dport *PORT*
meta pkttype set unicast counter ether daddr set *MAC* # for whole bridge
}
}
this seems to do whatt I need. Now questions:
* is this correct long term solution, or should I expect it to break again?
* can MAC be avoided? note: there is similar rule on IP level NATing ip
daddr to bridge IP
* what does set unicast/host means in this rule
* why 'nft list ruleset | nft' would yeld in complete (no working) rule
set or even parsing error?
anyways thanks for help
Oto