Duplicating packets

From nftables wiki
Jump to: navigation, search

Since Linux kernel 4.3, you can duplicate packets to another destination from the ip and ip6 families. You may want to use this feature to address this traffic to another remote peer for further inspection.

The following rule duplicates all traffic to 172.20.0.2:

% nft add rule mangle prerouting dup to 172.20.0.2

You can also force the dup statement to use a given device to route traffic from:

% nft add rule mangle prerouting dup to 172.20.0.2 device eth1

Thus, the rule above indicates that the duplicated packets must go via eth1. Don't forget that you have to have a route to reach 172.20.0.2 via eth1, otherwise this will not work.

You can also combine the dup statement with maps, eg.

% nft add rule mangle prerouting dup to ip saddr map { 192.168.0.1 : 172.20.0.2, 192.168.0.1 : 172.20.0.3 }

In this rule above, the destination that is used to duplicate packets depends on the source IPv4 address.