* IP DNAT on bridged packets destined to local process
@ 2022-06-07 8:25 Shirisha Dasari
2022-06-08 15:14 ` Maximiliano Estudies
2022-06-22 7:39 ` Pablo Neira Ayuso
0 siblings, 2 replies; 7+ messages in thread
From: Shirisha Dasari @ 2022-06-07 8:25 UTC (permalink / raw)
To: netfilter
Hi,
I need some help to understand if IP DNAT can be achieved on bridged
packets (IP packets arriving on a bridge port). The packets first need
to undergo DMAC NAT in the bridge filter layer of Netfilter and then
also need to undergo IP DNAT. This is because I need to have the
incoming bridged IP packets redirected to a local process.
From my experimentation so far, I'm only able to have the packet
undergo DMAC NAT using bridge NF rules but these packets do not hit
the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
and are redirected to the bridge INPUT chain from where they undergo
routing lookup directly and take appropriate route to be forwarded. I
however need to NAT the DIP before the routing lookup happens. From
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
I feel the packet should have hit the IP PREROUTING chain and
undergone NAT but this doesn't happen in my case.
I've already tried the following:
1) net.bridge.bridge-nf-call-iptables = 1.
The packets still do not hit the L3 IP NAT PREROUTING chain still.
2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
rules added via ebtables-legacy do not get hit at all.
3) The packet seems to be hitting the inet chains but I cannot add a
NAT rule in the inet chain as this support is only available in the
later kernels.
Some info about the system I'm trying this on:
root@sonic:/home/admin# uname -a
Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
(2020-06-07) x86_64 GNU/Linux
root@sonic:/home/admin# ebtables -V
ebtables 1.8.2 (nf_tables)
root@sonic:/home/admin# ebtables-legacy -V
ebtables v2.0.10.4 (legacy) (December 2011)
Following are the rules in my nftables and the trace of the packet
traversing nftables:
table bridge filter {
chain PREROUTING {
type filter hook prerouting priority
-300; policy accept;
tcp dport http ip saddr 10.10.10.10
ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
}
chain trace_chain {
type filter hook prerouting priority
-301; policy accept;
nftrace set 1
}
}
root@sonic:/home/admin# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
meta l4proto udp udp dport 53 counter packets 0 bytes
0 jump DNS_SNAT_RULE
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain DOCKER {
}
chain DNS_SNAT_RULE {
}
chain redir {
type nat hook prerouting priority -101; policy accept;
ip saddr 10.10.10.10 tcp dport { http, https } counter
packets 0 bytes 0 dnat to 60.60.60.60
}
}
Packet trace:
packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
flags == 0x0 tcp window 0
trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
bytes 4264 (verdict continue)
trace id e19ef0d4 bridge filter PREROUTING verdict continue
trace id e19ef0d4 bridge filter PREROUTING
trace id e19ef0d4 bridge filter INPUT verdict continue
trace id e19ef0d4 bridge filter INPUT
trace id 00027106 ip filter FORWARD verdict continue
trace id 00027106 ip filter FORWARD
Thanks,
Shirisha.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP DNAT on bridged packets destined to local process
2022-06-07 8:25 IP DNAT on bridged packets destined to local process Shirisha Dasari
@ 2022-06-08 15:14 ` Maximiliano Estudies
2022-06-09 9:05 ` Shirisha Dasari
2022-06-22 7:39 ` Pablo Neira Ayuso
1 sibling, 1 reply; 7+ messages in thread
From: Maximiliano Estudies @ 2022-06-08 15:14 UTC (permalink / raw)
To: netfilter
El mar, 7 jun 2022 a las 11:14, Shirisha Dasari
(<shirishadasari@gmail.com>) escribió:
>
> Hi,
>
> I need some help to understand if IP DNAT can be achieved on bridged
> packets (IP packets arriving on a bridge port). The packets first need
> to undergo DMAC NAT in the bridge filter layer of Netfilter and then
> also need to undergo IP DNAT. This is because I need to have the
> incoming bridged IP packets redirected to a local process.
>
> From my experimentation so far, I'm only able to have the packet
> undergo DMAC NAT using bridge NF rules but these packets do not hit
> the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
> and are redirected to the bridge INPUT chain from where they undergo
> routing lookup directly and take appropriate route to be forwarded. I
> however need to NAT the DIP before the routing lookup happens. From
> https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
> http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
> https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
> I feel the packet should have hit the IP PREROUTING chain and
> undergone NAT but this doesn't happen in my case.
>
> I've already tried the following:
>
> 1) net.bridge.bridge-nf-call-iptables = 1.
> The packets still do not hit the L3 IP NAT PREROUTING chain still.
>
> 2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
> rules added via ebtables-legacy do not get hit at all.
>
> 3) The packet seems to be hitting the inet chains but I cannot add a
> NAT rule in the inet chain as this support is only available in the
> later kernels.
>
> Some info about the system I'm trying this on:
> root@sonic:/home/admin# uname -a
> Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
> (2020-06-07) x86_64 GNU/Linux
>
> root@sonic:/home/admin# ebtables -V
> ebtables 1.8.2 (nf_tables)
> root@sonic:/home/admin# ebtables-legacy -V
> ebtables v2.0.10.4 (legacy) (December 2011)
>
> Following are the rules in my nftables and the trace of the packet
> traversing nftables:
>
> table bridge filter {
> chain PREROUTING {
> type filter hook prerouting priority
> -300; policy accept;
> tcp dport http ip saddr 10.10.10.10
> ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
> }
>
> chain trace_chain {
> type filter hook prerouting priority
> -301; policy accept;
> nftrace set 1
> }
> }
>
> root@sonic:/home/admin# nft list table nat
> table ip nat {
> chain PREROUTING {
> type nat hook prerouting priority -100; policy accept;
> }
>
> chain INPUT {
> type nat hook input priority 100; policy accept;
> }
>
> chain POSTROUTING {
> type nat hook postrouting priority 100; policy accept;
> meta l4proto udp udp dport 53 counter packets 0 bytes
> 0 jump DNS_SNAT_RULE
> }
>
> chain OUTPUT {
> type nat hook output priority -100; policy accept;
> }
>
> chain DOCKER {
> }
>
> chain DNS_SNAT_RULE {
> }
>
> chain redir {
> type nat hook prerouting priority -101; policy accept;
> ip saddr 10.10.10.10 tcp dport { http, https } counter
> packets 0 bytes 0 dnat to 60.60.60.60
> }
> }
>
> Packet trace:
>
> packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
> 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
> 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
> ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
> flags == 0x0 tcp window 0
> trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
> saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
> bytes 4264 (verdict continue)
> trace id e19ef0d4 bridge filter PREROUTING verdict continue
> trace id e19ef0d4 bridge filter PREROUTING
> trace id e19ef0d4 bridge filter INPUT verdict continue
> trace id e19ef0d4 bridge filter INPUT
> trace id 00027106 ip filter FORWARD verdict continue
> trace id 00027106 ip filter FORWARD
>
> Thanks,
> Shirisha.
I took this from the nftables wiki:
> If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain
you can add another chain with the PREROUTING hook but later priority
and do the IP DNAT there.
--
Maximiliano Estudies
VDT Referat Beschallung
+49 176 36784771
omslo.com
maxiestudies.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP DNAT on bridged packets destined to local process
2022-06-08 15:14 ` Maximiliano Estudies
@ 2022-06-09 9:05 ` Shirisha Dasari
0 siblings, 0 replies; 7+ messages in thread
From: Shirisha Dasari @ 2022-06-09 9:05 UTC (permalink / raw)
To: Maximiliano Estudies; +Cc: netfilter
Thank you. I noticed that the packet hits the inet table chains but
not ip tables. Not sure what the reason is for the same.
root@sonic:/home/admin# nft monitor trace
trace id 58a19031 bridge filter chain_trace packet: iif "Ethernet38"
ether saddr 00:00:09:00:10:00 ether daddr 00:00:09:00:11:00 vlan pcp 0
vlan cfi 0 vlan id 10 ip saddr 10.10.10.10 ip daddr 20.20.20.20 ip
dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 46
tcp sport 3442 tcp dport http tcp flags == syn tcp window 0
trace id 58a19031 bridge filter chain_trace rule nftrace set 1
(verdict continue)
trace id 58a19031 bridge filter chain_trace verdict continue
trace id 58a19031 bridge filter chain_trace
trace id 58a19031 bridge filter PREROUTING packet: iif "Ethernet38"
ether saddr 00:00:09:00:10:00 ether daddr 00:00:09:00:11:00 vlan pcp 0
vlan cfi 0 vlan id 10 ip saddr 10.10.10.10 ip daddr 20.20.20.20 ip
dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 46
tcp sport 3442 tcp dport http tcp flags == syn tcp window 0
trace id 58a19031 bridge filter PREROUTING rule ip saddr 10.10.10.10
tcp dport http counter packets 97 bytes 4462 jump mydnat (verdict jump
mydnat)
trace id 58a19031 bridge filter mydnat rule ether daddr set
00:00:00:0a:0b:0c counter packets 74 bytes 3404 (verdict continue)
trace id 58a19031 bridge filter mydnat verdict continue
trace id 58a19031 bridge filter PREROUTING verdict continue
trace id 58a19031 bridge filter PREROUTING
trace id 58a19031 bridge filter INPUT verdict continue
trace id 58a19031 bridge filter INPUT
trace id c80afea0 inet filter PREROUTING packet: iif "Vlan10" ether
saddr 00:00:09:00:10:00 ether daddr 00:00:00:0a:0b:0c ip saddr
10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 64
ip id 0 ip protocol tcp ip length 46 tcp sport 3442 tcp dport http tcp
flags == syn tcp window 0
trace id c80afea0 inet filter PREROUTING rule tcp dport http counter
packets 34 bytes 1564 (verdict continue)
trace id c80afea0 inet filter PREROUTING verdict continue
trace id c80afea0 inet filter PREROUTING
trace id c80afea0 ip filter FORWARD verdict continue
trace id c80afea0 ip filter FORWARD
From my understanding, if I have support for stateful NAT in the inet
table (that is supported on kernels 5.2 and above), I may be able to
do the IP DNAT on the packets.
Thanks,
Shirisha.
On Wed, Jun 8, 2022 at 9:20 PM Maximiliano Estudies
<maxiestudies@gmail.com> wrote:
>
> El mar, 7 jun 2022 a las 11:14, Shirisha Dasari
> (<shirishadasari@gmail.com>) escribió:
> >
> > Hi,
> >
> > I need some help to understand if IP DNAT can be achieved on bridged
> > packets (IP packets arriving on a bridge port). The packets first need
> > to undergo DMAC NAT in the bridge filter layer of Netfilter and then
> > also need to undergo IP DNAT. This is because I need to have the
> > incoming bridged IP packets redirected to a local process.
> >
> > From my experimentation so far, I'm only able to have the packet
> > undergo DMAC NAT using bridge NF rules but these packets do not hit
> > the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
> > and are redirected to the bridge INPUT chain from where they undergo
> > routing lookup directly and take appropriate route to be forwarded. I
> > however need to NAT the DIP before the routing lookup happens. From
> > https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
> > http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
> > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
> > I feel the packet should have hit the IP PREROUTING chain and
> > undergone NAT but this doesn't happen in my case.
> >
> > I've already tried the following:
> >
> > 1) net.bridge.bridge-nf-call-iptables = 1.
> > The packets still do not hit the L3 IP NAT PREROUTING chain still.
> >
> > 2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
> > rules added via ebtables-legacy do not get hit at all.
> >
> > 3) The packet seems to be hitting the inet chains but I cannot add a
> > NAT rule in the inet chain as this support is only available in the
> > later kernels.
> >
> > Some info about the system I'm trying this on:
> > root@sonic:/home/admin# uname -a
> > Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
> > (2020-06-07) x86_64 GNU/Linux
> >
> > root@sonic:/home/admin# ebtables -V
> > ebtables 1.8.2 (nf_tables)
> > root@sonic:/home/admin# ebtables-legacy -V
> > ebtables v2.0.10.4 (legacy) (December 2011)
> >
> > Following are the rules in my nftables and the trace of the packet
> > traversing nftables:
> >
> > table bridge filter {
> > chain PREROUTING {
> > type filter hook prerouting priority
> > -300; policy accept;
> > tcp dport http ip saddr 10.10.10.10
> > ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
> > }
> >
> > chain trace_chain {
> > type filter hook prerouting priority
> > -301; policy accept;
> > nftrace set 1
> > }
> > }
> >
> > root@sonic:/home/admin# nft list table nat
> > table ip nat {
> > chain PREROUTING {
> > type nat hook prerouting priority -100; policy accept;
> > }
> >
> > chain INPUT {
> > type nat hook input priority 100; policy accept;
> > }
> >
> > chain POSTROUTING {
> > type nat hook postrouting priority 100; policy accept;
> > meta l4proto udp udp dport 53 counter packets 0 bytes
> > 0 jump DNS_SNAT_RULE
> > }
> >
> > chain OUTPUT {
> > type nat hook output priority -100; policy accept;
> > }
> >
> > chain DOCKER {
> > }
> >
> > chain DNS_SNAT_RULE {
> > }
> >
> > chain redir {
> > type nat hook prerouting priority -101; policy accept;
> > ip saddr 10.10.10.10 tcp dport { http, https } counter
> > packets 0 bytes 0 dnat to 60.60.60.60
> > }
> > }
> >
> > Packet trace:
> >
> > packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
> > 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
> > 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
> > ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
> > flags == 0x0 tcp window 0
> > trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
> > saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
> > bytes 4264 (verdict continue)
> > trace id e19ef0d4 bridge filter PREROUTING verdict continue
> > trace id e19ef0d4 bridge filter PREROUTING
> > trace id e19ef0d4 bridge filter INPUT verdict continue
> > trace id e19ef0d4 bridge filter INPUT
> > trace id 00027106 ip filter FORWARD verdict continue
> > trace id 00027106 ip filter FORWARD
> >
> > Thanks,
> > Shirisha.
>
> I took this from the nftables wiki:
> > If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain
> you can add another chain with the PREROUTING hook but later priority
> and do the IP DNAT there.
>
> --
> Maximiliano Estudies
> VDT Referat Beschallung
> +49 176 36784771
> omslo.com
> maxiestudies.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP DNAT on bridged packets destined to local process
2022-06-07 8:25 IP DNAT on bridged packets destined to local process Shirisha Dasari
2022-06-08 15:14 ` Maximiliano Estudies
@ 2022-06-22 7:39 ` Pablo Neira Ayuso
2022-06-22 7:40 ` Pablo Neira Ayuso
1 sibling, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-22 7:39 UTC (permalink / raw)
To: Shirisha Dasari; +Cc: netfilter
Hi,
On Tue, Jun 07, 2022 at 01:55:36PM +0530, Shirisha Dasari wrote:
> Hi,
>
> I need some help to understand if IP DNAT can be achieved on bridged
> packets (IP packets arriving on a bridge port). The packets first need
> to undergo DMAC NAT in the bridge filter layer of Netfilter and then
> also need to undergo IP DNAT. This is because I need to have the
> incoming bridged IP packets redirected to a local process.
>
> From my experimentation so far, I'm only able to have the packet
> undergo DMAC NAT using bridge NF rules but these packets do not hit
> the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
> and are redirected to the bridge INPUT chain from where they undergo
> routing lookup directly and take appropriate route to be forwarded. I
> however need to NAT the DIP before the routing lookup happens. From
> https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
> http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
> https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
> I feel the packet should have hit the IP PREROUTING chain and
> undergone NAT but this doesn't happen in my case.
>
> I've already tried the following:
>
> 1) net.bridge.bridge-nf-call-iptables = 1.
> The packets still do not hit the L3 IP NAT PREROUTING chain still.
With nftables there is no need to use br_netfilter, such module is deprecated.
You should be able to mangle the destination MAC of the packet, so the
bridge bits forwards the packet to the bridge LOCAL_IN path. Then, you
add a rule to redirect traffic for that port to your local process.
> 2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
> rules added via ebtables-legacy do not get hit at all.
>
> 3) The packet seems to be hitting the inet chains but I cannot add a
> NAT rule in the inet chain as this support is only available in the
> later kernels.
>
> Some info about the system I'm trying this on:
> root@sonic:/home/admin# uname -a
> Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
> (2020-06-07) x86_64 GNU/Linux
>
> root@sonic:/home/admin# ebtables -V
> ebtables 1.8.2 (nf_tables)
> root@sonic:/home/admin# ebtables-legacy -V
> ebtables v2.0.10.4 (legacy) (December 2011)
>
> Following are the rules in my nftables and the trace of the packet
> traversing nftables:
>
> table bridge filter {
> chain PREROUTING {
> type filter hook prerouting priority
> -300; policy accept;
> tcp dport http ip saddr 10.10.10.10
> ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
> }
>
> chain trace_chain {
> type filter hook prerouting priority
> -301; policy accept;
> nftrace set 1
> }
> }
>
> root@sonic:/home/admin# nft list table nat
> table ip nat {
> chain PREROUTING {
> type nat hook prerouting priority -100; policy accept;
> }
>
> chain INPUT {
> type nat hook input priority 100; policy accept;
> }
>
> chain POSTROUTING {
> type nat hook postrouting priority 100; policy accept;
> meta l4proto udp udp dport 53 counter packets 0 bytes
> 0 jump DNS_SNAT_RULE
> }
>
> chain OUTPUT {
> type nat hook output priority -100; policy accept;
> }
>
> chain DOCKER {
> }
>
> chain DNS_SNAT_RULE {
> }
>
> chain redir {
> type nat hook prerouting priority -101; policy accept;
> ip saddr 10.10.10.10 tcp dport { http, https } counter
> packets 0 bytes 0 dnat to 60.60.60.60
> }
> }
>
> Packet trace:
>
> packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
> 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
> 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
> ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
> flags == 0x0 tcp window 0
> trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
> saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
> bytes 4264 (verdict continue)
> trace id e19ef0d4 bridge filter PREROUTING verdict continue
> trace id e19ef0d4 bridge filter PREROUTING
> trace id e19ef0d4 bridge filter INPUT verdict continue
> trace id e19ef0d4 bridge filter INPUT
> trace id 00027106 ip filter FORWARD verdict continue
> trace id 00027106 ip filter FORWARD
>
> Thanks,
> Shirisha.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP DNAT on bridged packets destined to local process
2022-06-22 7:39 ` Pablo Neira Ayuso
@ 2022-06-22 7:40 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-22 7:40 UTC (permalink / raw)
To: Shirisha Dasari; +Cc: netfilter
On Wed, Jun 22, 2022 at 09:39:38AM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Tue, Jun 07, 2022 at 01:55:36PM +0530, Shirisha Dasari wrote:
> > Hi,
> >
> > I need some help to understand if IP DNAT can be achieved on bridged
> > packets (IP packets arriving on a bridge port). The packets first need
> > to undergo DMAC NAT in the bridge filter layer of Netfilter and then
> > also need to undergo IP DNAT. This is because I need to have the
> > incoming bridged IP packets redirected to a local process.
> >
> > From my experimentation so far, I'm only able to have the packet
> > undergo DMAC NAT using bridge NF rules but these packets do not hit
> > the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
> > and are redirected to the bridge INPUT chain from where they undergo
> > routing lookup directly and take appropriate route to be forwarded. I
> > however need to NAT the DIP before the routing lookup happens. From
> > https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
> > http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
> > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
> > I feel the packet should have hit the IP PREROUTING chain and
> > undergone NAT but this doesn't happen in my case.
> >
> > I've already tried the following:
> >
> > 1) net.bridge.bridge-nf-call-iptables = 1.
> > The packets still do not hit the L3 IP NAT PREROUTING chain still.
>
> With nftables there is no need to use br_netfilter, such module is deprecated.
>
> You should be able to mangle the destination MAC of the packet, so the
> bridge bits forwards the packet to the bridge LOCAL_IN path. Then, you
> add a rule to redirect traffic for that port to your local process.
Such redirect rule should be place in an inet prerouting chain whose
type is nat.
> > 2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
> > rules added via ebtables-legacy do not get hit at all.
> >
> > 3) The packet seems to be hitting the inet chains but I cannot add a
> > NAT rule in the inet chain as this support is only available in the
> > later kernels.
> >
> > Some info about the system I'm trying this on:
> > root@sonic:/home/admin# uname -a
> > Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
> > (2020-06-07) x86_64 GNU/Linux
> >
> > root@sonic:/home/admin# ebtables -V
> > ebtables 1.8.2 (nf_tables)
> > root@sonic:/home/admin# ebtables-legacy -V
> > ebtables v2.0.10.4 (legacy) (December 2011)
> >
> > Following are the rules in my nftables and the trace of the packet
> > traversing nftables:
> >
> > table bridge filter {
> > chain PREROUTING {
> > type filter hook prerouting priority
> > -300; policy accept;
> > tcp dport http ip saddr 10.10.10.10
> > ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
> > }
> >
> > chain trace_chain {
> > type filter hook prerouting priority
> > -301; policy accept;
> > nftrace set 1
> > }
> > }
> >
> > root@sonic:/home/admin# nft list table nat
> > table ip nat {
> > chain PREROUTING {
> > type nat hook prerouting priority -100; policy accept;
> > }
> >
> > chain INPUT {
> > type nat hook input priority 100; policy accept;
> > }
> >
> > chain POSTROUTING {
> > type nat hook postrouting priority 100; policy accept;
> > meta l4proto udp udp dport 53 counter packets 0 bytes
> > 0 jump DNS_SNAT_RULE
> > }
> >
> > chain OUTPUT {
> > type nat hook output priority -100; policy accept;
> > }
> >
> > chain DOCKER {
> > }
> >
> > chain DNS_SNAT_RULE {
> > }
> >
> > chain redir {
> > type nat hook prerouting priority -101; policy accept;
> > ip saddr 10.10.10.10 tcp dport { http, https } counter
> > packets 0 bytes 0 dnat to 60.60.60.60
> > }
> > }
> >
> > Packet trace:
> >
> > packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
> > 00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
> > 10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
> > ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
> > flags == 0x0 tcp window 0
> > trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
> > saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
> > bytes 4264 (verdict continue)
> > trace id e19ef0d4 bridge filter PREROUTING verdict continue
> > trace id e19ef0d4 bridge filter PREROUTING
> > trace id e19ef0d4 bridge filter INPUT verdict continue
> > trace id e19ef0d4 bridge filter INPUT
> > trace id 00027106 ip filter FORWARD verdict continue
> > trace id 00027106 ip filter FORWARD
> >
> > Thanks,
> > Shirisha.
^ permalink raw reply [flat|nested] 7+ messages in thread
* IP DNAT on bridged packets destined to local process
@ 2022-06-07 13:05 Shirisha Dasari
0 siblings, 0 replies; 7+ messages in thread
From: Shirisha Dasari @ 2022-06-07 13:05 UTC (permalink / raw)
To: netfilter
Hi,
I need some help to understand if IP DNAT can be achieved on bridged
packets (IP packets arriving on a bridge port). The packets first need
to undergo DMAC NAT in the bridge filter layer of Netfilter and then
also need to undergo IP DNAT. This is because I need to have the
incoming bridged IP packets redirected to a local process.
From my experimentation so far, I'm only able to have the packet
undergo DMAC NAT using bridge NF rules but these packets do not hit
the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
and are redirected to the bridge INPUT chain from where they undergo
routing lookup directly and take appropriate route to be forwarded. I
however need to NAT the DIP before the routing lookup happens. From
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
I feel the packet should have hit the IP PREROUTING chain and
undergone NAT but this doesn't happen in my case.
I've already tried the following:
1) net.bridge.bridge-nf-call-iptables = 1.
The packets still do not hit the L3 IP NAT PREROUTING chain still.
2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
rules added via ebtables-legacy do not get hit at all.
3) The packet seems to be hitting the inet chains but I cannot add a
NAT rule in the inet chain as this support is only available in the
later kernels.
Some info about the system I'm trying this on:
root@sonic:/home/admin# uname -a
Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
(2020-06-07) x86_64 GNU/Linux
root@sonic:/home/admin# ebtables -V
ebtables 1.8.2 (nf_tables)
root@sonic:/home/admin# ebtables-legacy -V
ebtables v2.0.10.4 (legacy) (December 2011)
Following are the rules in my nftables and the trace of the packet
traversing nftables:
table bridge filter {
chain PREROUTING {
type filter hook prerouting priority
-300; policy accept;
tcp dport http ip saddr 10.10.10.10
ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
}
chain trace_chain {
type filter hook prerouting priority
-301; policy accept;
nftrace set 1
}
}
root@sonic:/home/admin# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
meta l4proto udp udp dport 53 counter packets 0 bytes
0 jump DNS_SNAT_RULE
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain DOCKER {
}
chain DNS_SNAT_RULE {
}
chain redir {
type nat hook prerouting priority -101; policy accept;
ip saddr 10.10.10.10 tcp dport { http, https } counter
packets 0 bytes 0 dnat to 60.60.60.60
}
}
Packet trace:
packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
flags == 0x0 tcp window 0
trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
bytes 4264 (verdict continue)
trace id e19ef0d4 bridge filter PREROUTING verdict continue
trace id e19ef0d4 bridge filter PREROUTING
trace id e19ef0d4 bridge filter INPUT verdict continue
trace id e19ef0d4 bridge filter INPUT
trace id 00027106 ip filter FORWARD verdict continue
trace id 00027106 ip filter FORWARD
Thanks,
Shirisha.
^ permalink raw reply [flat|nested] 7+ messages in thread
* IP DNAT on bridged packets destined to local process
@ 2022-06-07 9:20 Shirisha Dasari
0 siblings, 0 replies; 7+ messages in thread
From: Shirisha Dasari @ 2022-06-07 9:20 UTC (permalink / raw)
To: netfilter
Hi,
I need some help to understand if IP DNAT can be achieved on bridged
packets (IP packets arriving on a bridge port). The packets first need
to undergo DMAC NAT in the bridge filter layer of Netfilter and then
also need to undergo IP DNAT. This is because I need to have the
incoming bridged IP packets redirected to a local process.
From my experimentation so far, I'm only able to have the packet
undergo DMAC NAT using bridge NF rules but these packets do not hit
the ingress L3 stack prerouting chains. The packets undergo DMAC NAT
and are redirected to the bridge INPUT chain from where they undergo
routing lookup directly and take appropriate route to be forwarded. I
however need to NAT the DIP before the routing lookup happens. From
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks,
http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section5 and
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg,
I feel the packet should have hit the IP PREROUTING chain and
undergone NAT but this doesn't happen in my case.
I've already tried the following:
1) net.bridge.bridge-nf-call-iptables = 1.
The packets still do not hit the L3 IP NAT PREROUTING chain still.
2) ebtables rules to BROUTE the packet to the L3 layer. My ebtables
rules added via ebtables-legacy do not get hit at all.
3) The packet seems to be hitting the inet chains but I cannot add a
NAT rule in the inet chain as this support is only available in the
later kernels.
Some info about the system I'm trying this on:
root@sonic:/home/admin# uname -a
Linux sonic 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1
(2020-06-07) x86_64 GNU/Linux
root@sonic:/home/admin# ebtables -V
ebtables 1.8.2 (nf_tables)
root@sonic:/home/admin# ebtables-legacy -V
ebtables v2.0.10.4 (legacy) (December 2011)
Following are the rules in my nftables and the trace of the packet
traversing nftables:
table bridge filter {
chain PREROUTING {
type filter hook prerouting priority
-300; policy accept;
tcp dport http ip saddr 10.10.10.10
ether daddr set 00:00:00:0a:0b:0c counter packets 0 bytes 0
}
chain trace_chain {
type filter hook prerouting priority
-301; policy accept;
nftrace set 1
}
}
root@sonic:/home/admin# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
meta l4proto udp udp dport 53 counter packets 0 bytes
0 jump DNS_SNAT_RULE
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain DOCKER {
}
chain DNS_SNAT_RULE {
}
chain redir {
type nat hook prerouting priority -101; policy accept;
ip saddr 10.10.10.10 tcp dport { http, https } counter
packets 0 bytes 0 dnat to 60.60.60.60
}
}
Packet trace:
packet: iif "Ethernet38" ether saddr 00:00:09:00:10:00 ether daddr
00:00:09:00:11:00 vlan pcp 0 vlan cfi 0 vlan id 10 ip saddr
10.10.10.10 ip daddr 20.20.20.20 ip dscp cs0 ip ecn not-ect ip ttl 2
ip id 0 ip protocol tcp ip length 82 tcp sport http tcp dport http tcp
flags == 0x0 tcp window 0
trace id e19ef0d4 bridge filter PREROUTING rule tcp dport http ip
saddr 10.10.10.10 ether daddr set 00:00:00:0a:0b:0c counter packets 52
bytes 4264 (verdict continue)
trace id e19ef0d4 bridge filter PREROUTING verdict continue
trace id e19ef0d4 bridge filter PREROUTING
trace id e19ef0d4 bridge filter INPUT verdict continue
trace id e19ef0d4 bridge filter INPUT
trace id 00027106 ip filter FORWARD verdict continue
trace id 00027106 ip filter FORWARD
Thanks,
Shirisha.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-06-22 7:40 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-07 8:25 IP DNAT on bridged packets destined to local process Shirisha Dasari
2022-06-08 15:14 ` Maximiliano Estudies
2022-06-09 9:05 ` Shirisha Dasari
2022-06-22 7:39 ` Pablo Neira Ayuso
2022-06-22 7:40 ` Pablo Neira Ayuso
2022-06-07 9:20 Shirisha Dasari
2022-06-07 13:05 Shirisha Dasari
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.