Hi,
On Tue, Aug 27, 2024 at 03:15:00PM -0500, Echo Nar wrote:
> Is there a way to set up a stateless NAT that updates ICMP payloads
> i.e. destination-unreachable (type 3)?
At quick glance, it should be possible to mangle ICMP payloads with a
userspace nft update only.
Would you file a bugzilla ticket to request this to make sure this
does not get lost?
Thanks.
> With the current rules I have (shown below) I am able to receive ICMP
> destination-unreachable packets but the payload is wrong causing them
> to be dropped by clients. This pretty much breaks traceroute on both
> sides.
>
> Internal to external:
> IPv4 Header - Src: 192.0.2.2, Dst: 100.64.1.105
> ICMP Type 3 Payload - Src: 203.0.113.100, Dst: 192.0.2.2
>
> External to internal:
> IPv4 Header - Src: 203.0.113.100, Dst: 203.0.113.200
> ICMP Type 3 Payload - Src: 203.0.113.200, Dst: 100.64.1.105
>
> table ip NAT {
> chain prerouting {
> type filter hook prerouting priority raw; policy accept;
> iif "eth0" ip daddr 203.0.113.100 ip daddr set 100.64.1.105
> notrack return
> }
>
> chain postrouting {
> type filter hook postrouting priority raw; policy accept;
> oif "eth0" ip saddr 100.64.1.105 ip saddr set 203.0.113.100
> notrack return
> }
> }
>
> As a side note, tc performs ICMP modifications (but doesn't meet my
> needs) which is why I'm thinking nftables should be able to do it as
> well.
> --
> Thanks,
> Echo Nar
>
