* Rewrite arp response with nft
[not found] <48471547.724608.1713545266678.ref@mail.yahoo.com>
@ 2024-04-19 16:47 ` G H
2024-04-20 17:31 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: G H @ 2024-04-19 16:47 UTC (permalink / raw)
To: netfilter
On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e.
ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \
-j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT
I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument.
table bridge filter {
chain POSTROUTING {
type filter hook postrouting priority 0; policy accept;
ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e
}
}
My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e?
$ tcpdump -enni any arp or icmp
12:39:08.525439 vb-p0 P ifindex 5 aa:18:f0:55:79:1e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28
12:39:08.525441 ens192 Out ifindex 2 00:50:56:96:12:5e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Rewrite arp response with nft
2024-04-19 16:47 ` Rewrite arp response with nft G H
@ 2024-04-20 17:31 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2024-04-20 17:31 UTC (permalink / raw)
To: G H; +Cc: netfilter
G H <uothrawn@yahoo.com> wrote:
> On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e.
>
> ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \
> -j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT
>
> I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument.
>
> table bridge filter {
> chain POSTROUTING {
> type filter hook postrouting priority 0; policy accept;
> ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e
> }
> }
>
> My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e?
No idea, but you might want to look at the "arp" payload expression.
Maybe:
arp operation reply arp daddr ether set ...
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-20 17:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <48471547.724608.1713545266678.ref@mail.yahoo.com>
2024-04-19 16:47 ` Rewrite arp response with nft G H
2024-04-20 17:31 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).