Join Log in
Score:1
guenhter avatar Server

Packets dropped when the target addresses (mac and ip) are changed to own hosts interface

pk flag
guenhter

My host acts as a router and has two network interfaces enp1s0 (1 host connected with ip 192.168.10.20) and enp2s0. enp1s0 is used to receive UDP packages and enp2s0 usually has the listening hosts connected.

When I activate the nftables logging with:

table ip filter {
        chain logging {
                type filter hook prerouting priority filter; policy accept;
                ip saddr 192.168.10.20 log prefix "ip-filter1-"
        }
}

I see all packets from 192.168.10.20 being logged and I also see in the log, what the actual target of the packages are (because my host is just the router and passes the packages through).

Nevertheless, when I try to do some very low level redirecting in the netdev family, the logs are no longer printed (I assume that the packets are dropped, aren't they?)

table netdev filter { # handle 3
        chain mod { # handle 15
                type filter hook ingress device "enp1s0" priority -500; policy accept;
                ether daddr set c4:00:ad:99:67:c7 ip daddr set 192.168.10.120 # handle 16
        }
}

This is my ip a

...
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c4:00:ad:99:67:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.120/24 brd 192.168.10.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::c600:adff:fe99:67c7/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c4:00:ad:99:67:c8 brd ff:ff:ff:ff:ff:ff
    inet 10.20.75.50/24 brd 10.20.75.255 scope global dynamic noprefixroute enp2s0
       valid_lft 682026sec preferred_lft 682026sec
    inet6 fe80::c600:adff:fe99:67c8/64 scope link
       valid_lft forever preferred_lft forever

ip route gives me:

default via 10.20.75.254 dev enp2s0 proto dhcp metric 101
10.20.75.0/24 dev enp2s0 proto kernel scope link src 10.20.75.50 metric 101
169.254.0.0/16 dev enp1s0 scope link metric 1000
192.168.10.0/24 dev enp1s0 proto kernel scope link src 192.168.10.120 metric 100

Why is it, that packets are no longer logged after I do a rewrite of the mac address and the ip address to the values of the local NIC?

79
1 + 0
Score:0
guenhter avatar Server
pk flag
guenhter

I solved it by using the netdev family with nftables:

This is how packages on the NIC are redirected to a local interface:

table netdev filter {
        chain redir {
                type filter hook ingress device "enp1s0" priority filter; policy accept;
                ether daddr set c4:00:ad:99:67:c7 ip daddr set 192.168.10.120 udp dport set 4500 meta pkttype set host
        }
}

The promiscuous mode must be turned on in order that the NIC forwards packages not intended for it:

ip link set enp1s0 promisc on
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.