Re: nftables / DHCP / NAT

[Volodymyr Litovka <doka@funlab.cc>]

Hi Pablo,

On 10/30/23 09:41, Pablo Neira Ayuso wrote:
> iifname "inspan" ...
>
> is not really required, because you chain is already hooked at
> "inspan" device see your chain declaration:
thanks for that.

> Then, to forward packets to some other box from the 'netdev' family,
> use the 'fwd' statement:
>
>          udp dport 67 udp dport set 10067 counter fwd to 100.64.0.66 device "eth0"
>
> This rule above is mangling your UDP destination port from 67 to
> 10067, then it send the packet to 100.64.0.66 and device "eth0". The
> destination MAC address is updated by the neighbour layer so you do
> not have to bother with "ether daddr set ...".

the basic idea of this construction is to use later load balancing 
(https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing) 
between multiple destinations, in the section

table ip todos {
     chain enat {
         type nat hook prerouting priority dstnat;
         udp dport 10067 counter dnat to 100.64.0.15:10067
         udp dport 11813 counter dnat to 100.64.0.15:11813
     }
}

so on the first step (netdev) I'm setting dst mac to local (so packet 
will not be dropped as "alien", because I receive on this box mirrored 
(SPAN) traffic, where dst mac is not this box) and then load-balance it 
between multiple destinations using NAT/LB. As far as I understand, 
'fwd' is for forwarding to a single destination.

I will appreciate any suggestion on how to solve this task - either fix 
what I'm trying to do or using another way :-)

Thank you.

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison