Duplicating packets

From nftables wiki
Revision as of 00:30, 17 February 2021 by Fmyhr (talk | contribs) (Edited for clarity.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Since Linux kernel 4.3, you can duplicate packets to another IPv4 or IPv6 destination address. You may want to use this feature to copy selected traffic from the local system to a remote host for further inspection.

The following rule duplicates all traffic to 172.20.0.2:

% nft add rule mangle prerouting dup to 172.20.0.2

You can also force the dup statement to use a given device to route traffic from:

% nft add rule mangle prerouting dup to 172.20.0.2 device eth1

The above rule specifies that the duplicated packets must leave the system via interface eth1. Your system must have a route to reach 172.20.0.2 via eth1 for this to work.

You can also combine the dup statement with maps. For example:

% nft add rule mangle prerouting dup to ip saddr map { 192.168.0.1 : 172.20.0.2, 192.168.0.1 : 172.20.0.3 }

This rule send duplicated packets to different remote hosts, depending on the source IPv4 address.