3

In ebtables, BROUTING chain in broute table has special behaviors for ACCEPT and DROP actions: ACCEPT means bridging/forward path and DROP means routing/input path. For example, to force all non-IPv6 packets to go through NAT, with the proper iptables settings while IPv6 packets are all directly bridged, one could do:

ebtables -t broute -A BROUTING -p ! ipv6 -j DROP -i wan

How can I get this behavior in nftables?

Several posts and the old nftables man pages suggested that this isn't implemented. Also, there're a thread in the nftables mailing list which eventually got no actually valid reply.

Is it still unimplemented? If so, is there any workaround or do I have to use ebtables-legacy? Thanks.

Charlie Jiang
  • 33
  • 5
  • Do you have to use brouting in the first place, as opposed to regular routing for everything? We used to have a firewall that did what you're describing (routing for v4 and bridging for v6) and would not do it again, ever. Most likely proxy-NDP would be a functionally cleaner replacement in general. (Such as not messing up IPv6 fragmentation for one...) – u1686_grawity Jun 23 '22 at 18:54
  • @user1686 You are correct. This is indeed a not very neat solution. However, when I search for routing for v4 and bridging for v6, almost every solution suggests using the BROUTING trick... I'll check out the proxy NDP solution. – Charlie Jiang Jun 23 '22 at 19:04

1 Answers1

2

Is it still unimplemented?

Yes, but still only for a few weeks (Linux kernel 6.4 should be released at end of 2023-06 or start of 2023-07) . The accepted proposition (after a few iterations) for using broute with nftables in netfilter-devel is from 2023-02-24.

It has been added in yet-to-be-released Linux kernel 6.4 on 2023-04-26:

Netfilter:

  • Add nf_tables 'brouting' support, to force a packet to be routed instead of being bridged

and is in the pipeline for the yet-to-be-released next nftables version, probably 1.0.8:

meta: introduce meta broute support

Can be used in bridge prerouting hook to divert a packet to the ip stack for routing.

This is a replacement for ebtables -t broute functionality.

There's no ebtables peculiarity about using accept/drop with a special broute type. It's used by setting the broute flag in a rule in the bridge family type filter and prerouting hook:

meta broute set 1

So instead of (actually using ebtables-legacy, since ebtables-nft has always been lacking support for broute):

ebtables -t broute -A BROUTING -p ! ipv6 -j DROP -i wan

one will do instead something like:

table bridge b {
    chain prerouting {
        type filter hook prerouting priority -250; policy accept;
        ether type != ip6 iifname wan meta broute set 1 accept
    }
}

In addition, ebtables-nft (shipped through iptables sources for the nftables backend variant), has also received an equivalent patch for the yet-to-be-released next version:

ebtables-nft: add broute table emulation

Use new meta broute set 1 to emulate -t broute. If -t broute is given, automatically translate -j DROP to meta broute set 1 accept internally.

which will allow to use ebtables-nft instead of ebtables-legacy (still with kernel >= 6.4) to accept as-is:

ebtables -t broute -A BROUTING -p ! ipv6 -j DROP -i wan
A.B
  • 5,338
  • 1
  • 17
  • 20