From: Jaga Doe <jaga.doe@aol.com>
To: netfilter@vger.kernel.org
Subject: Redirect bridged traffic
Date: Wed, 5 Feb 2020 18:04:26 +0000 (UTC) [thread overview]
Message-ID: <1561900038.672905.1580925866433@mail.yahoo.com> (raw)
In-Reply-To: 1561900038.672905.1580925866433.ref@mail.yahoo.com
Hello,
I have a device with 3 NICs connected to two networks as follow:
1. eth0 connected to monitor network used for accessing my device and do configurations.
2. eth1 connected to main network which contains routers, DHCP server, NTP server, etc.
3. eth2 connected with a direct cable to a device (PC0) supposed to be part of the main network.
My device needs to pass through the entire traffic between PC0 and the main network excepting the one connecting on port 3000 of PC0 which needs to be redirected to a local process. The local process at it's turn needs to connect to PC0 on port 3000 and the replies to be passed back to the main network client.
For this I have created a bridge which is able to pass all the traffic between eth1 and eth2:
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ip link set br0 up
Using this, the PC0 is able to access all services from the main network (i.e DHCP for getting the IP address). Though the performances of the bridge is much lower than expected, the speed being almost 6x lower comparing to direct access of PC0 to main network.
For redirecting the traffic I was trying to use the nftables configuration below:
#!/usr/sbin/nft -f
flush ruleset
define MON_MAC=00:0c:29:15:7b:a0
define TPORT
table bridge tbrFilter {
chain cbrRedirect {
type filter hook prerouting priority 0;
log tcp dport $TPORT meta pkttype set host ether daddr set $MON_MAC counter
}
}
table inet tlcRedirect {
chain clcRedirect {
type nat hook prerouting priority 0;
log tcp dport $TPORT counter redirect to $TPORT
}
}
Using this configuration, the connection to PC0:3000 seems that it is captured by the nft but is not going to the local process.
What I am missing here?
Thanks and best regards,
Jaga.
next parent reply other threads:[~2020-02-05 18:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1561900038.672905.1580925866433.ref@mail.yahoo.com>
2020-02-05 18:04 ` Jaga Doe [this message]
2020-02-05 19:35 ` Redirect bridged traffic Florian Westphal
[not found] <1291389071.153642.1580977922721.ref@mail.yahoo.com>
2020-02-06 8:32 ` Jaga Doe
2020-02-06 8:46 ` Florian Westphal
2020-02-07 13:09 ` Jaga Doe
[not found] <54308857.271223.1581007417521.ref@mail.yahoo.com>
2020-02-06 16:43 ` Jaga Doe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561900038.672905.1580925866433@mail.yahoo.com \
--to=jaga.doe@aol.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.