netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Rewrite arp response with nft
       [not found] <48471547.724608.1713545266678.ref@mail.yahoo.com>
@ 2024-04-19 16:47 ` G H
  2024-04-20 17:31   ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: G H @ 2024-04-19 16:47 UTC (permalink / raw)
  To: netfilter

 On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e.

ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \
      -j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT
      
I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument.

table bridge filter {
    chain POSTROUTING {
        type filter hook postrouting priority 0; policy accept;
        ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e
    }
}

My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e?

$ tcpdump -enni any arp or icmp
12:39:08.525439 vb-p0 P   ifindex 5 aa:18:f0:55:79:1e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28
12:39:08.525441 ens192 Out ifindex 2 00:50:56:96:12:5e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28





^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Rewrite arp response with nft
  2024-04-19 16:47 ` Rewrite arp response with nft G H
@ 2024-04-20 17:31   ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2024-04-20 17:31 UTC (permalink / raw)
  To: G H; +Cc: netfilter

G H <uothrawn@yahoo.com> wrote:
>  On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e.
> 
> ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \
>       -j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT
>       
> I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument.
> 
> table bridge filter {
>     chain POSTROUTING {
>         type filter hook postrouting priority 0; policy accept;
>         ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e
>     }
> }
> 
> My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e?

No idea, but you might want to look at the "arp" payload expression.

Maybe:
arp operation reply arp daddr ether set ...


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-20 17:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <48471547.724608.1713545266678.ref@mail.yahoo.com>
2024-04-19 16:47 ` Rewrite arp response with nft G H
2024-04-20 17:31   ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).