On Wed, Jul 23, 2025 at 01:31:53AM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > > > calling 'redirect' verdict will manipulate the IP header as well which > > > > we don't want > > > > > > Can you point me to the code that alters the IP header? I can't find > > > anything. > > > > I guess this is a misunderstanding, but continuing along the lines: > > xt_REDIRECT.ko calls nf_nat_redirect() for incoming packets passing the > > incoming interface's IP address as 'newdst' parameter. I assume > > conntrack then executes, no? > > Hmmm, I was referring to ebt_redirect, not xt/nft redirect. > Whats the concern here? I was considering to use nftables' redirect verdict for translating ebtables' redirect in broute table, but it's nonsense: On one hand, nftables' bridge family doesn't support redirect to begin with. On the other, inet redirect is about IP addresses and doesn't alter MACs at all. I somehow assumed it would set both to the incoming interface's and then just realized that ebt_redirect does not change the IP address. > inet redirect should be fully functional, if thats wanted, for skbs > passed to bridge local in via ebt_redirect (or nft bridge family > with mac dest rewritten to a local address + altered packet type). > > At least I don't see why it would not work. I guess we just need NFT_META_IIFHWADDR in addition to Pablo's suggested NFT_META_BRI_IIFHWADDR for full translation support. Sorry for the confusion, Phil
