ebtables rule rewriten to nft 'set host' does not work

ebtables rule rewriten to nft 'set host' does not work

[netfilter]

I guys I got kind of Man-In-Middle setup, where ubuntu based box is 
correcting coordinates transferred thru wire.

This is old setup coming from age of iptables and ebtables. I tried to 
move to nft command-line, but with no success. ebtables command works, 
but nft does not. Note: box is running nftables with iptable and ebtable 
interface.

When I convert ebtables command into nft rule, this rule never get hit, 
while its ebtables equivalent does.

nft version

# nft -V
nftables v1.0.2 (Lester Gooch)
   cli:          editline
   json:         yes
   minigmp:      no
   libxtables:   yes


script setting nft ruleset via nft and ebtables

#!/bin/bash
IP=*IP*
PORT=*PORT*

nft flush ruleset
nft -f - <<NFT
table bridge nat {
         chain PREROUTING {
                 type filter hook prerouting priority dstnat; policy accept;
                 meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  
tcp dport ${PORT}  meta pkttype set host
         }
}
....
NFT
# this rule does not work in NFT (yet?)
ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol 
tcp --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT


resulting ruleset, as you can see ebtables rule is hit, nft is not, when 
I try to match rules word, by work, I usually get error

# nft list ruleset
table bridge nat {
         chain PREROUTING {
                 type filter hook prerouting priority dstnat; policy accept;
                 meta ibrname "*DEV*" ip daddr *IP* ether type ip tcp 
dport *PORT* meta pkttype set host
                 meta ibrname "*DEV*" ether type ip ip daddr *IP* tcp 
dport *PORT* counter packets 14011 bytes 977273 meta set pkttype host
         }
}


Is it supported? If so, what is correct nft rule definition?


Thanks


Oto

Re: ebtables rule rewriten to nft 'set host' does not work

[Kerin Millar]

On Wed, 29 May 2024, at 10:07 AM, netfilter@e-posta.sk wrote:
> I guys I got kind of Man-In-Middle setup, where ubuntu based box is 
> correcting coordinates transferred thru wire.
>
> This is old setup coming from age of iptables and ebtables. I tried to 
> move to nft command-line, but with no success. ebtables command works, 
> but nft does not. Note: box is running nftables with iptable and ebtable 
> interface.
>
> When I convert ebtables command into nft rule, this rule never get hit, 
> while its ebtables equivalent does.
>
> nft version
>
> # nft -V
> nftables v1.0.2 (Lester Gooch)
>    cli:          editline
>    json:         yes
>    minigmp:      no
>    libxtables:   yes
>
>
> script setting nft ruleset via nft and ebtables
>
> #!/bin/bash
> IP=*IP*
> PORT=*PORT*
>
> nft flush ruleset
> nft -f - <<NFT
> table bridge nat {
>          chain PREROUTING {
>                  type filter hook prerouting priority dstnat; policy accept;
>                  meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  
> tcp dport ${PORT}  meta pkttype set host
>          }
> }
> ....
> NFT
> # this rule does not work in NFT (yet?)
> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol 
> tcp --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
>
>
> resulting ruleset, as you can see ebtables rule is hit, nft is not, when 
> I try to match rules word, by work, I usually get error
>
> # nft list ruleset
> table bridge nat {
>          chain PREROUTING {
>                  type filter hook prerouting priority dstnat; policy accept;
>                  meta ibrname "*DEV*" ip daddr *IP* ether type ip tcp 
> dport *PORT* meta pkttype set host

I note that "meta pkttype set host" isn't valid syntax, though your shell script has it right. Still, this rule has no counter. How can you be so sure that it isn't being hit? Could it perhaps be that it is hit, with processing continuing due to the absence of the "accept" keyword?

-- 
Kerin Millar

Re: ebtables rule rewriten to nft 'set host' does not work

[Florian Westphal]

netfilter@e-posta.sk <netfilter@e-posta.sk> wrote:
> I guys I got kind of Man-In-Middle setup, where ubuntu based box is
> correcting coordinates transferred thru wire.
> 
> This is old setup coming from age of iptables and ebtables. I tried to move
> to nft command-line, but with no success. ebtables command works, but nft
> does not. Note: box is running nftables with iptable and ebtable interface.
> 
> When I convert ebtables command into nft rule, this rule never get hit,
> while its ebtables equivalent does.
> 
> nft version
> 
> # nft -V
> nftables v1.0.2 (Lester Gooch)
>   cli:          editline
>   json:         yes
>   minigmp:      no
>   libxtables:   yes
> 
> 
> script setting nft ruleset via nft and ebtables
> 
> #!/bin/bash
> IP=*IP*
> PORT=*PORT*
> 
> nft flush ruleset
> nft -f - <<NFT
> table bridge nat {
>         chain PREROUTING {
>                 type filter hook prerouting priority dstnat; policy accept;
>                 meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  tcp
> dport ${PORT}  meta pkttype set host
>         }
> }
> ....
> NFT
> # this rule does not work in NFT (yet?)
> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol tcp
> --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT

-j redirect mangles ethernet destination address to that of bridge
device.

See this example from nft(8):

 # assumes 00:11:22:33:44:55 is local MAC address.
 bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
   80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55

Re: ebtables rule rewriten to nft 'set host' does not work

[netfilter]

On 2024-05-30 15:10, Florian Westphal wrote:
> netfilter@e-posta.sk <netfilter@e-posta.sk> wrote:
>> Hi guys I got kind of Man-In-Middle setup, where ubuntu based box is
>> correcting coordinates transferred thru wire.
>>
>> This is old setup coming from age of iptables and ebtables. I tried to move
>> to nft command-line, but with no success. ebtables command works, but nft
>> does not. Note: box is running nftables with iptable and ebtable interface.
>>
>> When I convert ebtables command into nft rule, this rule never get hit,
>> while its ebtables equivalent does.
>>
>> nft version
>>
>> # nft -V
>> nftables v1.0.2 (Lester Gooch)
>>
>>
>> script setting nft ruleset via nft and ebtables
>>
>> #!/bin/bash
>> IP=*IP*
>> PORT=*PORT*
>>
>> nft flush ruleset
>> nft -f - <<NFT
>> table bridge nat {
>>          chain PREROUTING {
>>                  type filter hook prerouting priority dstnat; policy accept;
>>                  meta ibrname "*DEV*"  ip daddr ${IP}  ether type ip  tcp
>> dport ${PORT}  meta pkttype set host
>>          }
>> }
>> ....
>> NFT
>> # this rule does not work in NFT (yet?)
>> ebtables -t nat -A PREROUTING --logical-in *DEV*-p ipv4 --ip-protocol tcp
>> --ip-dst $IP --ip-dport $PORT -j redirect --redirect-target ACCEPT
> -j redirect mangles ethernet destination address to that of bridge
> device.
>
> See this example from nft(8):
>
>   # assumes 00:11:22:33:44:55 is local MAC address.
>   bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport \
>     80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55

explanation seems to make sense. When this project started - some decade 
ago - I used ebtables ...-j DROP what was meant to move 
packet/connection from bridge into routing. Getting MAC address may get 
tricky, but doable, as bridge may have dynamic MAC, fortunaly not my 
case. Still need to get MAC from bridge, to have one script for all 
installations.

I don't know how I may missed that in manual. Unfortunately, copy pasted 
example does not parse.

# nft bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 
meta pkttype set unicast ether daddr set 00:11:22:33:44:55

Error: syntax error, unexpected meta, expecting string

bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta 
pkttype set unicast ether daddr set 00:11:22:33:44:55


I will try to poke with it and let you know If I do succeed.