[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Packets lost in netfilter & Altering outgoing packet's mac address
From:       Florian Westphal <fw () strlen ! de>
Date:       2022-08-18 17:49:52
Message-ID: 20220818174952.GB32331 () breakpoint ! cc
[Download RAW message or body]

Ludvig Sandh <givdul11@hotmail.se> wrote:
> For changing the source address of outgoing packets I've tried explicitly setting \
> it with  'nft add rule ip filter postrouting ip saddr set 192.168.10.132 ether \
> saddr set 54:af:97:87:eb:b9'

Won't work because at this point there either is no ethernet header yet
or you're changing the ethernet header of the incoming/forwarded packet.

> 	chain input {
> 		type filter hook input priority filter; policy accept;
> 		ip saddr 216.58.207.206 ip daddr 192.168.10.203 ether daddr 7c:c2:c6:35:82:08 \
> counter packets 1 bytes 168  # Shows that the google packet reached the input chain \
> with altered addresses!  }
> }
> table ip filter {
> 	chain prerouting {
> 		type filter hook prerouting priority filter; policy accept;
> 		counter packets 0 bytes 0

Wild guess: IP stack discards packet as foreign.  Try 'meta set pkttype
set unicast' in the bridge rule that rewrites the dst mac.


[prev in list] [next in list] [prev in thread] [next in thread]