Hi Pablo, On Thu, Jul 17, 2025 at 02:01:47PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jul 17, 2025 at 04:27:37PM +0800, Miao Wang via B4 Relay wrote: > > From: Miao Wang <shankerwangmiao@xxxxxxxxx> > > > > The redirect target in ebtables do two things: 1. set skb->pkt_type to > > PACKET_HOST, and 2. set the destination mac address to the address of > > the receiving bridge device (when not used in BROUTING chain), or the > > receiving physical device (otherwise). However, the later cannot be > > implemented in nftables not given the translated mac address. So it is > > not appropriate to give a specious translation. > > It should be possible to expose the bridge port device address through > this extension, see (untested) patch. Yes, that looks good! > Then, it should be possible to provide this translation: > > ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect > nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \ > counter meta pkttype set host ether daddr set meta ibrhwdr accept' Now in broute table, ebt_redirect.ko sets the ether daddr of the packet to that of the incoming interface, i.e. the bridge port not the bridge itself. We'll need an extension for that, too right? I guess just calling 'redirect' verdict will manipulate the IP header as well which we don't want. Cheers, Phil
