From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: [PATCH nf-next] netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support
Date: Tue, 2 Sep 2025 17:58:31 +0200 [thread overview]
Message-ID: <aLcUJ5U0LWW_-Vo8@calendula> (raw)
In-Reply-To: <e2c78075-e3b7-4124-a530-54652910a2d5@suse.de>
On Tue, Sep 02, 2025 at 05:34:02PM +0200, Fernando Fernandez Mancera wrote:
>
>
> On 9/2/25 4:37 PM, Pablo Neira Ayuso wrote:
> > On Tue, Sep 02, 2025 at 02:08:54PM +0200, Florian Westphal wrote:
> > > Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> > > > Expose the input bridge interface ethernet address so it can be used to
> > > > redirect the packet to the receiving physical device for processing.
> > > >
> > > > Tested with nft command line tool.
> > > >
> > > > table bridge nat {
> > > > chain PREROUTING {
> > > > type filter hook prerouting priority 0; policy accept;
> > > > ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
> > > > }
> > > > }
> > > >
> > > > Joint work with Pablo Neira.
> > >
> > > Sorry for crashing the party.
> > >
> > > Can you check if its enough to use the mac address of the port (rather
> > > than the bridge address)?
> > >
> > > i.e. add veth0,1 to br0 like this:
> > >
> > > br0
> > > a -> [ veth0|veth1 ] -> b
> > >
> > > Then check br0 address.
> > > If br0 has address of veth1, then try to redirect
> > > redirect by setting a rule like 'ether daddr set <*veth0 address*>
> > >
> > > AFAICS the bridge FDB should treat this as local, just as if one would
> > > have used the bridges mac address.
> >
>
> You are right Florian, I have tested this on the following setup.
>
> 1. ping from veth0_a on netns_a to veth1_b on netns_b
>
> +----br0----+
> | |
> veth0_a------------veth0 veth1--------veth1_b
> (192.168.10.10/24) (192.168.10.20/24)
>
> Using the MAC of the port, the packet is consumed by the bridge too and not
> forwarded. So, no need for it to be the MAC address of the bridge itself..
Thanks for confirming.
But this is going to be a bit strange from usability point of view?
It is easier to explain to users that by setting the br0 mac address
(as we do now) packets are passed up to the local stack.
Maybe both can be added? But I don't have a use-case for iifhwdr apart
from this scenario.
next prev parent reply other threads:[~2025-09-02 15:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 11:28 [PATCH nf-next] netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support Fernando Fernandez Mancera
2025-09-02 12:08 ` Florian Westphal
2025-09-02 14:37 ` Pablo Neira Ayuso
2025-09-02 15:34 ` Fernando Fernandez Mancera
2025-09-02 15:58 ` Pablo Neira Ayuso [this message]
2025-09-02 16:05 ` Fernando Fernandez Mancera
2025-09-02 16:33 ` Florian Westphal
2025-09-02 17:02 ` Fernando Fernandez Mancera
2025-09-02 17:07 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLcUJ5U0LWW_-Vo8@calendula \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.