* Please add Bridge NAT in nftables
@ 2019-09-28 6:06 Ttttabcd
2019-09-28 8:23 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Ttttabcd @ 2019-09-28 6:06 UTC (permalink / raw)
To: netfilter-devel
The NAT function is included in ebtables (although it is very simple, but it is better than nothing), but I did not find the corresponding function in nftables.
In ebtables there is only static NAT, no Masquerading, we can implement it in nftables
Implementing dynamic MAC NAT is very simple. We can use the IP address as an identifier to convert the corresponding MAC. It is also simple to maintain the conversion table. It is similar to the FIB of the switch, automatically learns, and the entries are discarded when timeout.
In MAC NAT is : IP -> MAC.
In the FIB of the switch is : MAC -> Dev Port.
In IPv4 NAT is : TCP Port -> IP.
This is easy to understand.
src: 192.168.1.50 src: 192.168.1.50
dst: 192.168.1.100 dst: 192.168.1.100
----------------- -> Bridge -> -----------------
src MAC: Host A src MAC: Bridge
dst MAC: Host B dst MAC: Host B
Now NAT learned that the MAC corresponding to 192.168.1.50 is Host A.
src: 192.168.1.100 src: 192.168.1.100
dst: 192.168.1.50 dst: 192.168.1.50
----------------- <- Bridge <- -----------------
src MAC: Host B src MAC: Host B
dst MAC: Host A dst MAC: Bridge
Host A does not know the existence of NAT at all.
Maybe you want to ask me now, why do you want to do this, the bridge can completely forward the data frame directly?
But the reality is that it makes people feel a headache. In some cases, a device port can only correspond to one source MAC address. If a normal switch requires multiple source MAC addresses, the network cannot be used!
Like those with security-restricted switches, or like wireless networks (when WDS is not supported), only a single source MAC can be used.
Dynamic MAC NAT is very important in these situations!
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Please add Bridge NAT in nftables
2019-09-28 6:06 Please add Bridge NAT in nftables Ttttabcd
@ 2019-09-28 8:23 ` Florian Westphal
2019-09-28 12:35 ` Ttttabcd
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2019-09-28 8:23 UTC (permalink / raw)
To: Ttttabcd; +Cc: netfilter-devel
Ttttabcd <ttttabcd@protonmail.com> wrote:
> The NAT function is included in ebtables (although it is very simple, but it is better than nothing), but I did not find the corresponding function in nftables.
You can do stateless mac nat like this:
add rule ... ether saddr set 00:0f:54:0c:11:4
or, with anon map:
add rule ... ether saddr set ip saddr map { 192.168.1.50 :
00:0f:54:0c:11:4, 192.168.1.100 : 0f:54:0c:11:42 }
or with named map:
add table bridge mynat
add map bridge mynat mymacnatmap "{ type ipv4_addr : ether_addr; flags timeout; }
add rule ... ether saddr set ip saddr map @mynatmap
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-28 12:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-28 6:06 Please add Bridge NAT in nftables Ttttabcd
2019-09-28 8:23 ` Florian Westphal
2019-09-28 12:35 ` Ttttabcd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).