For starters - verify that ether-type is XXX, lowest bit of byte 0 of payload is 0 and second byte is YY. I managed to do that with raw matches, along with "set" to rewrite the destination MAC address. I assume that putting that in bridge/nat/prerouting chain will do the trick and the bridge will forward the packet to the new destination. -- Paweł Kraszewski pt., 14 cze 2024 o 17:26 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> napisał(a): > > On Fri, Jun 14, 2024 at 09:01:22AM +0200, Pawel Kraszewski wrote: > > Hello! > > > > I'm trying to write a simple match module for ebtables. Nothing fancy, > > just check ethertype and first 2 bytes of payload. I need to make > > ebtables' dnat, based on a custom in-packet tag: > > > > > ebtables -t nat -A PREROUTING -i eth0 --MYMATCH-tag 10 -j dnat --to-destination SO:ME:MA:CA:DD:RS > > > > Kernel module ebt_MYMATCH.ko is almost ready (it just accepts > > everything now, just a PoC for now), based mostly on ebt_vlan. > > > > What I am absolutely stuck on is xtables/libebt_MYMATCH.so library. I > > mean, it is written, compiled properly, and objdump reports the same > > structure as existing ones (say, libebt_vlan.so). The only slight > > problem is that ebtables doesn't detect or recognize it. > > > > When running the above ebtables example under strace, it does iterate > > over "standard" libebt_* libraries (with newfstatat() and openat() ) > > but doesn't even try to touch mine with a long stick. It doesn't even > > check if it is there. > > > > When I do a match with existing libebt_* (say vlan), it still does > > iterate over all standard libraries (for iteration's sake) and then > > (apparently, there's no dload() or sth) just ignores libebt_vlan.so > > and pulls NFT gun. > > > > That's Arch system: > > * ebtables 1.8.10 (nf_tables) > > * iptables v1.8.10 (tried both legacy and nf_tables, no change in behaviour) > > * kernel 6.9.3-hardened1-1-hardened > > > > I even tried with manually compiled ebtables v2.0.11 (legacy), which > > is, um, dated 2011. > > > > What are my options now? Any guides on writing both nft kernel modules > > and matching userspace libraries? > > Or just forget all that and use raw @base,offset,length matches? > > That is an option, if you provide more info what --MYMATCH-tag 10 does.
