Issues with netdev egress hooks

Netfilter-Devel Archive mirror
 help / color / mirror / Atom feed

From: Daniel Mack <daniel@zonque.org>
To: netfilter-devel@vger.kernel.org
Subject: Issues with netdev egress hooks
Date: Wed, 6 Mar 2024 16:43:02 +0100	[thread overview]
Message-ID: <ba22c8bd-4fff-40e5-81c3-50538b8c70b5@zonque.org> (raw)

Hi,

I am using the NFT egress hook in a netdev table with 'set' statements
to adjust the source MAC and IP addresses before duplicating packets to
another interface:

table netdev dummy {
  chain egress {
    type filter hook egress device "dummy" priority 0;
    ether type ip ether saddr set 01:02:03:04:05:06 ip saddr set 1.1.1.1
dup to "eth0"
  }
}

Does this rule look okay or am I holding it wrong?

The modification of the sender's MAC address works fine. However, the
adjustment of the source IP is applied at the wrong offset. The octets
in the raw packet that are being modified are 13 and 14, which would be
the correct offset within an IP header, but it seems that the prefixed
Ethernet header is not taken into account.

For the same reason, attempting to filter based on any details beyond
the Ethernet header also fails. The following rule does not match any
packets, even though there is a significant amount of UDP traffic:

table netdev dummy {
  chain egress {
    type filter hook egress device "dummy" priority 0;
    ether type ip ip protocol udp dup to "eth0"
  }
}

At this point, I'm not sure where to start digging to be honest and
would appreciate any guidance on how to resolve this issue.

Thanks,
Daniel

next             reply	other threads:[~2024-03-06 15:43 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-06 15:43 Daniel Mack [this message]
2024-03-06 18:17 ` Issues with netdev egress hooks Pablo Neira Ayuso
2024-03-07 13:34   ` Daniel Mack
2024-03-07 16:24     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ba22c8bd-4fff-40e5-81c3-50538b8c70b5@zonque.org \
    --to=daniel@zonque.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).