Mangling packet headers: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(delete redundant header)
No edit summary
Line 1: Line 1:
Since nft v0.6 nftables supports stateless payload mangling. Note that if you mangle packet fields that are included in the [https://en.wikipedia.org/wiki/User_Datagram_Protocol#IPv4_Pseudo_Header layer 4 checksum pseudoheader], then you require a Linux kernel version >= 4.10.
Since nft v0.6 nftables supports packet header mangling, including stateless NAT.
 
'''Note''': if you mangle packet fields that are included in the [https://en.wikipedia.org/wiki/User_Datagram_Protocol#IPv4_Pseudo_Header layer 4 checksum pseudoheader], then you require a Linux kernel version >= 4.10.


To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:
To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:
Line 10: Line 12:


The commands above create a table named ''raw'', a chain named ''prerouting'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80.
The commands above create a table named ''raw'', a chain named ''prerouting'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80.
= Interactions with conntrack =


Keep in mind the interactions with conntrack, flows with mangled traffic must be [[Setting packet connection tracking metainformation | untracked]]. You can do this in a single rule:
Keep in mind the interactions with conntrack, flows with mangled traffic must be [[Setting packet connection tracking metainformation | untracked]]. You can do this in a single rule:

Revision as of 19:05, 18 December 2020

Since nft v0.6 nftables supports packet header mangling, including stateless NAT.

Note: if you mangle packet fields that are included in the layer 4 checksum pseudoheader, then you require a Linux kernel version >= 4.10.

To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it: 

% nft add table raw
% nft add chain raw prerouting {type filter hook prerouting priority -300\;}
% nft add rule raw prerouting tcp dport 8080 tcp dport set 80

The commands above create a table named raw, a chain named prerouting, see Netfilter hooks, and a rule to mangle the destination port of packets over TCP from 8080 to 80.

Interactions with conntrack

Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked. You can do this in a single rule: 

% nft add rule ip6 raw prerouting ip6 daddr fd00::1 ip6 daddr set fd00::2 notrack

For more information about packet headers to mangle check manpage nft(8), Matching packet header fields and Quick reference-nftables in 10 minutes.

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Mangling_packet_headers&oldid=609"