On Sat, Jul 19, 2025 at 05:24:10PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > > ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect > > > nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \ > > > counter meta pkttype set host ether daddr set meta ibrhwdr accept' > > > > Now in broute table, ebt_redirect.ko sets the ether daddr of the packet > > to that of the incoming interface, i.e. the bridge port not the bridge > > itself. We'll need an extension for that, too right? > > Yes, but i don't think the broute feature is that relevant given the lack > of requests for support in nftables. Most want to make the packet > enter the bridge input path and not pretend that the bridge didn't exist > in the first place. > > > I guess just > > calling 'redirect' verdict will manipulate the IP header as well which > > we don't want > > Can you point me to the code that alters the IP header? I can't find > anything. I guess this is a misunderstanding, but continuing along the lines: xt_REDIRECT.ko calls nf_nat_redirect() for incoming packets passing the incoming interface's IP address as 'newdst' parameter. I assume conntrack then executes, no? Cheers, Phil
