Difference between revisions of "Duplicating packets"

From nftables wiki
Jump to navigation Jump to search
(Created page with "Since Linux kernel 4.3, you can duplicate packets to another destination from the ''ip'' and ''ip6'' families. You may want to use this feature to address this traffic to anot...")
 
(Edited for clarity.)
 
Line 1: Line 1:
Since Linux kernel 4.3, you can duplicate packets to another destination from the ''ip'' and ''ip6'' families. You may want to use this feature to address this traffic to another remote peer for further inspection.
Since Linux kernel 4.3, you can duplicate packets to another IPv4 or IPv6 destination address. You may want to use this feature to copy selected traffic from the local system to a remote host for further inspection.


The following rule duplicates all traffic to 172.20.0.2:
The following rule duplicates all traffic to 172.20.0.2:
Line 13: Line 13:
</source>
</source>


Thus, the rule above indicates that the duplicated packets must go via ''eth1''. Don't forget that you have to have a route to reach 172.20.0.2 via eth1, otherwise this will not work.
The above rule specifies that the duplicated packets must leave the system via interface ''eth1''. Your system must have a route to reach 172.20.0.2 via eth1 for this to work.


You can also combine the dup statement with [[maps]], eg.
You can also combine the dup statement with [[maps]]. For example:


<source lang="bash">
<source lang="bash">
Line 21: Line 21:
</source>
</source>


In this rule above, the destination that is used to duplicate packets depends on the source IPv4 address.
This rule send duplicated packets to different remote hosts, depending on the source IPv4 address.

Latest revision as of 00:30, 17 February 2021

Since Linux kernel 4.3, you can duplicate packets to another IPv4 or IPv6 destination address. You may want to use this feature to copy selected traffic from the local system to a remote host for further inspection.

The following rule duplicates all traffic to 172.20.0.2:

% nft add rule mangle prerouting dup to 172.20.0.2

You can also force the dup statement to use a given device to route traffic from:

% nft add rule mangle prerouting dup to 172.20.0.2 device eth1

The above rule specifies that the duplicated packets must leave the system via interface eth1. Your system must have a route to reach 172.20.0.2 via eth1 for this to work.

You can also combine the dup statement with maps. For example:

% nft add rule mangle prerouting dup to ip saddr map { 192.168.0.1 : 172.20.0.2, 192.168.0.1 : 172.20.0.3 }

This rule send duplicated packets to different remote hosts, depending on the source IPv4 address.