Mangling packet headers: Difference between revisions
(kernel version requirement) |
(add example of using notrack, along with a reference to the article.) |
||
| Line 11: | Line 11: | ||
</source> | </source> | ||
The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked. | The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. | ||
Keep in mind the interactions with conntrack, flows with mangled traffic must be [[Setting packet connection tracking metainformation | untracked]]. You can do this in a single rule: | |||
<source> | |||
% nft add rule ip6 mangle forward ip6 daddr fd00::1 ip6 daddr set fd00::2 notrack | |||
</source> | |||
For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]]. | For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]]. | ||
Revision as of 12:14, 13 September 2017
Mangle packet header fields
Since nft v0.6 nftables supports stateless payload mangling. Note that if you mangle packet fields that are included in the layer 4 checksum pseudoheader, then you require a Linux kernel version >= 4.10.
To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:
% nft add table mangle
% nft add chain mangle forward {type filter hook forward priority 0\;}
% nft add rule mangle forward tcp dport 8080 tcp dport set 80
The commands above create a table named mangle, a chain named forward, see Netfilter hooks, and a rule to mangle the destination port of packets over TCP from 8080 to 80.
Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked. You can do this in a single rule:
% nft add rule ip6 mangle forward ip6 daddr fd00::1 ip6 daddr set fd00::2 notrackFor more information about packet headers to mangle check manpage nft(8), Matching packet header fields and Quick reference-nftables in 10 minutes.