IP SNAT in a bridge

IP SNAT in a bridge

[Marc SCHAEFER]

Hello,

I have two containers connected to a bridge. Let's assume the following
IP packet goes through the bridge:

192.168.101.3:80 > 192.168.101.4:12345

I would like to change the packet as follows:

1.2.3.4:80 > 192.168.101.4:12345

am I right that this has to be done as a -t nat POSTROUTING -j SNAT
iptables, but that will only work if ebtables forces the packet into
BROUTE mode first?

Something like:

   ebtables -t broute -I BROUTING -p 0x800 -i bridge \
      --ip-proto tcp --ip-sport 80 --ip-src 192.168.101.3/32 \
      -j DROP
   iptables -t nat -I POSTROUTING -s 192.168.101.3/32 -p tcp --sport 80 \
      -j SNAT --to-source 1.2.3.4:80

Or am I completely mistaken?

Thank you.

Re: IP SNAT in a bridge

[Marc SCHAEFER]

Hello,

On Thu, Mar 03, 2022 at 09:45:46PM +0100, Marc SCHAEFER wrote:
> am I right that this has to be done as a -t nat POSTROUTING -j SNAT
> iptables, but that will only work if ebtables forces the packet into
> BROUTE mode first?

I found out that if the br_netfilter module is loaded, it works without
the BROUTE.  I will investigate if there is a way to do it less globally.

Re: IP SNAT in a bridge

[Marc SCHAEFER]

On Fri, Mar 04, 2022 at 09:10:50AM +0100, Marc SCHAEFER wrote:
> I found out that if the br_netfilter module is loaded, it works without
> the BROUTE.  I will investigate if there is a way to do it less globally.

Apparently through ip link set dev BRIDGE type bridge nf_call_iptables 1

However, ebtables BROUTE seems incompatible with basic iptables (nft
only).