From: Volodymyr Litovka <doka@funlab.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: doka@funlab.cc, netfilter@vger.kernel.org
Subject: Re: nftables / DHCP / NAT
Date: Mon, 30 Oct 2023 12:58:43 +0100 [thread overview]
Message-ID: <dc369ef0-9eb3-4e38-92aa-b80e0ebdaa73@funlab.cc> (raw)
In-Reply-To: <ZT9sQZw2hmkM5nh2@calendula>
Hi Pablo,
On 10/30/23 09:41, Pablo Neira Ayuso wrote:
> iifname "inspan" ...
>
> is not really required, because you chain is already hooked at
> "inspan" device see your chain declaration:
thanks for that.
> Then, to forward packets to some other box from the 'netdev' family,
> use the 'fwd' statement:
>
> udp dport 67 udp dport set 10067 counter fwd to 100.64.0.66 device "eth0"
>
> This rule above is mangling your UDP destination port from 67 to
> 10067, then it send the packet to 100.64.0.66 and device "eth0". The
> destination MAC address is updated by the neighbour layer so you do
> not have to bother with "ether daddr set ...".
the basic idea of this construction is to use later load balancing
(https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing)
between multiple destinations, in the section
table ip todos {
chain enat {
type nat hook prerouting priority dstnat;
udp dport 10067 counter dnat to 100.64.0.15:10067
udp dport 11813 counter dnat to 100.64.0.15:11813
}
}
so on the first step (netdev) I'm setting dst mac to local (so packet
will not be dropped as "alien", because I receive on this box mirrored
(SPAN) traffic, where dst mac is not this box) and then load-balance it
between multiple destinations using NAT/LB. As far as I understand,
'fwd' is for forwarding to a single destination.
I will appreciate any suggestion on how to solve this task - either fix
what I'm trying to do or using another way :-)
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
next prev parent reply other threads:[~2023-10-30 11:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <df94652d-d611-4713-963a-911d6b7ef986@funlab.cc>
2023-10-30 8:41 ` nftables / DHCP / NAT Pablo Neira Ayuso
2023-10-30 11:58 ` Volodymyr Litovka [this message]
[not found] ` <54fda956-92bd-4c14-b0e5-29445b53f04a@funlab.cc>
2023-10-30 16:40 ` Pablo Neira Ayuso
2023-10-30 22:20 ` Volodymyr Litovka
2023-10-31 14:05 ` Pablo Neira Ayuso
2023-10-31 21:26 ` Volodymyr Litovka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dc369ef0-9eb3-4e38-92aa-b80e0ebdaa73@funlab.cc \
--to=doka@funlab.cc \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox