Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* Please add Bridge NAT in nftables
@ 2019-09-28  6:06 Ttttabcd
  2019-09-28  8:23 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Ttttabcd @ 2019-09-28  6:06 UTC (permalink / raw)
  To: netfilter-devel

The NAT function is included in ebtables (although it is very simple, but it is better than nothing), but I did not find the corresponding function in nftables.

In ebtables there is only static NAT, no Masquerading, we can implement it in nftables

Implementing dynamic MAC NAT is very simple. We can use the IP address as an identifier to convert the corresponding MAC. It is also simple to maintain the conversion table. It is similar to the FIB of the switch, automatically learns, and the entries are discarded when timeout.

In MAC NAT is : IP -> MAC.

In the FIB of the switch is : MAC -> Dev Port.

In IPv4 NAT is : TCP Port -> IP.

This is easy to understand.


src: 192.168.1.50                                   src: 192.168.1.50
dst: 192.168.1.100                                 dst: 192.168.1.100
-----------------           ->    Bridge    ->   -----------------
src MAC: Host A                                   src MAC: Bridge
dst MAC: Host B                                   dst MAC: Host B

Now NAT learned that the MAC corresponding to 192.168.1.50 is Host A.

src: 192.168.1.100                                   src: 192.168.1.100
dst: 192.168.1.50                                 dst: 192.168.1.50
-----------------           <-    Bridge    <-    -----------------
src MAC: Host B                                    src MAC: Host B
dst MAC: Host A                                    dst MAC: Bridge

Host A does not know the existence of NAT at all.

Maybe you want to ask me now, why do you want to do this, the bridge can completely forward the data frame directly?

But the reality is that it makes people feel a headache. In some cases, a device port can only correspond to one source MAC address. If a normal switch requires multiple source MAC addresses, the network cannot be used!

Like those with security-restricted switches, or like wireless networks (when WDS is not supported), only a single source MAC can be used.

Dynamic MAC NAT is very important in these situations!

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Please add Bridge NAT in nftables
  2019-09-28  6:06 Please add Bridge NAT in nftables Ttttabcd
@ 2019-09-28  8:23 ` Florian Westphal
  2019-09-28 12:35   ` Ttttabcd
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2019-09-28  8:23 UTC (permalink / raw)
  To: Ttttabcd; +Cc: netfilter-devel

Ttttabcd <ttttabcd@protonmail.com> wrote:
> The NAT function is included in ebtables (although it is very simple, but it is better than nothing), but I did not find the corresponding function in nftables.

You can do stateless mac nat like this:
add rule ... ether saddr set 00:0f:54:0c:11:4

or, with anon map:
add rule ... ether saddr set ip saddr map { 192.168.1.50 :
	00:0f:54:0c:11:4, 192.168.1.100 : 0f:54:0c:11:42 }

or with named map:

add table bridge mynat
add map bridge mynat mymacnatmap "{ type ipv4_addr : ether_addr; flags timeout; }
add rule ... ether saddr set ip saddr map @mynatmap

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Please add Bridge NAT in nftables
  2019-09-28  8:23 ` Florian Westphal
@ 2019-09-28 12:35   ` Ttttabcd
  0 siblings, 0 replies; 3+ messages in thread
From: Ttttabcd @ 2019-09-28 12:35 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Nftables already has such a feature is really great!

Please add the example to the nftables wiki, otherwise the normal user does not know that nftables has the function of MAC NAT.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-28  6:06 Please add Bridge NAT in nftables Ttttabcd
2019-09-28  8:23 ` Florian Westphal
2019-09-28 12:35   ` Ttttabcd

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org netfilter-devel@archiver.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox