Difference between revisions of "Mangling packet headers"
Jump to navigation
Jump to search
(Create page mangle packet header fields) |
|||
| Line 12: | Line 12: | ||
The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked. | The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked. | ||
For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]]. | For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]]. | ||
Revision as of 19:43, 20 February 2017
Mangle packet header fields
Since nft v0.6 nftables supports stateless payload mangling.
To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:
% nft add table mangle
% nft add chain mangle forward {type filter hook forward priority 0\;}
% nft add rule mangle forward tcp dport 8080 tcp dport set 80
The commands above create a table named mangle, a chain named forward, see Netfilter hooks, and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked.
For more information about packet headers to mangle check manpage nft(8), Matching packet header fields and Quick reference-nftables in 10 minutes.