Skip to main content
Unix & Linux

Return to Answer

rename and typo
Source Link
A.B
A.B
  • 39.5k
  • 2
  • 87
  • 134

It's still possible to use nftables in the netdev family (rather than ip family) for this case, since only ingress is needed (nftables still doesn't have egress available). The behaviour of dup and fwd in the ingress hook is exactly the same as tc-mirred's mirror and redirect.

I also addressed a minor detail: rewrite the Ethernet source address to the new Ethernet outgoing interface's MAC address, as would have been done for a truly routed packet, even if it works for you without this. So the interfaces' MAC addresses has to be known beforehand. I put the two required (eth0's and eth1's) in variables/macro definitions, which should be edited with the correct values.

define eth0mac = 02:0a:00:00:00:01
define eth1mac = 02:0b:00:00:00:01

table netdev staticnatstatelessnat
delete table netdev staticnatstatelessnat

table netdev staticnatstatelessnat {
    chain b { type filter hook ingress device eth1 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.1.255 udp dport 21027 jump b-to-a
        
    }

    chain c { type filter hook ingress device eth2 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.2.255 udp dport 21027 counter jump c-to-b-a
    }

    chain b-to-a {
        ether saddr set $eth0mac ip daddr set 192.168.0.255 fwd to eth0
    }

    chain c-to-b-a {
        ether saddr set $eth1mac ip daddr set 192.168.21.255 dup to eth1 goto b-to-a
    }
}

It's still possible to use nftables in the netdev family (rather than ip family) for this case, since only ingress is needed (nftables still doesn't have egress available). The behaviour of dup and fwd in the ingress hook is exactly the same as tc-mirred's mirror and redirect.

I also addressed a minor detail: rewrite the Ethernet source address to the new Ethernet outgoing interface's MAC address, as would have been done for a truly routed packet, even if it works for you without this. So the interfaces' MAC addresses has to be known beforehand. I put the two required (eth0's and eth1's) in variables/macro definitions, which should be edited with the correct values.

define eth0mac = 02:0a:00:00:00:01
define eth1mac = 02:0b:00:00:00:01

table netdev staticnat
delete table netdev staticnat

table netdev staticnat {
    chain b { type filter hook ingress device eth1 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.1.255 udp dport 21027 jump b-to-a
        
    }

    chain c { type filter hook ingress device eth2 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.2.255 udp dport 21027 counter jump c-to-b-a
    }

    chain b-to-a {
        ether saddr set $eth0mac ip daddr set 192.168.0.255 fwd to eth0
    }

    chain c-to-b-a {
        ether saddr set $eth1mac ip daddr set 192.168.2.255 dup to eth1 goto b-to-a
    }
}

It's still possible to use nftables in the netdev family (rather than ip family) for this case, since only ingress is needed (nftables still doesn't have egress available). The behaviour of dup and fwd in the ingress hook is exactly the same as tc-mirred's mirror and redirect.

I also addressed a minor detail: rewrite the Ethernet source address to the new Ethernet outgoing interface's MAC address, as would have been done for a truly routed packet, even if it works for you without this. So the interfaces' MAC addresses has to be known beforehand. I put the two required (eth0's and eth1's) in variables/macro definitions, which should be edited with the correct values.

define eth0mac = 02:0a:00:00:00:01
define eth1mac = 02:0b:00:00:00:01

table netdev statelessnat
delete table netdev statelessnat

table netdev statelessnat {
    chain b { type filter hook ingress device eth1 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.1.255 udp dport 21027 jump b-to-a
        
    }

    chain c { type filter hook ingress device eth2 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.2.255 udp dport 21027 counter jump c-to-b-a
    }

    chain b-to-a {
        ether saddr set $eth0mac ip daddr set 192.168.0.255 fwd to eth0
    }

    chain c-to-b-a {
        ether saddr set $eth1mac ip daddr set 192.168.1.255 dup to eth1 goto b-to-a
    }
}
Source Link
A.B
A.B
  • 39.5k
  • 2
  • 87
  • 134

It's still possible to use nftables in the netdev family (rather than ip family) for this case, since only ingress is needed (nftables still doesn't have egress available). The behaviour of dup and fwd in the ingress hook is exactly the same as tc-mirred's mirror and redirect.

I also addressed a minor detail: rewrite the Ethernet source address to the new Ethernet outgoing interface's MAC address, as would have been done for a truly routed packet, even if it works for you without this. So the interfaces' MAC addresses has to be known beforehand. I put the two required (eth0's and eth1's) in variables/macro definitions, which should be edited with the correct values.

define eth0mac = 02:0a:00:00:00:01
define eth1mac = 02:0b:00:00:00:01

table netdev staticnat
delete table netdev staticnat

table netdev staticnat {
    chain b { type filter hook ingress device eth1 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.1.255 udp dport 21027 jump b-to-a
        
    }

    chain c { type filter hook ingress device eth2 priority 0;
        pkttype broadcast ether type ip ip daddr 192.168.2.255 udp dport 21027 counter jump c-to-b-a
    }

    chain b-to-a {
        ether saddr set $eth0mac ip daddr set 192.168.0.255 fwd to eth0
    }

    chain c-to-b-a {
        ether saddr set $eth1mac ip daddr set 192.168.2.255 dup to eth1 goto b-to-a
    }
}