对 NF_STOLEN 数据包的响应未符合 NAT 规则

tag-icon tag-icon dhcp nftables netfilter
对 NF_STOLEN 数据包的响应未符合 NAT 规则

我目前正在致力于将 DHCP 服务器放置在 Docker 桥接网络中。为了确保数据包通过,我有以下内容:

table netdev filterearly_lan10{
    chain ingress {
        type filter hook ingress device enp1s0.10 priority -500; policy accept;
    
            meta nftrace set 1
            ether daddr ff:ff:ff:ff:ff:ff udp sport 68 fwd to "br-a039f83f0bc5";            
    }

使用nft monitor trace我可以看到第一个数据包:

trace id e0907bbc netdev filterearly_lan10 ingress packet: iif "enp1s0.10" ether saddr 08:00:27:65:d0:37 ether daddr ff:ff:ff:ff:ff:ff vlan pcp 0 vlan dei 0 vlan id 10 ip saddr 0.0.0.0 ip daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0 ip protocol udp ip length 328 udp sport 68 udp dport 67 udp length 308 @th,64,96 0x1010600e7f4d81b000d0000
trace id e0907bbc netdev filterearly_lan10 ingress rule meta nftrace set 1 (verdict continue)
trace id e0907bbc netdev filterearly_lan10 ingress rule ether daddr ff:ff:ff:ff:ff:ff udp sport 68 fwd to "br-a039f83f0bc5" (verdict stolen)

随后是回应:

trace id a119cb52 inet filter forward packet: iif "br-a039f83f0bc5" oif "enp1s0.10" ether saddr 02:42:ac:19:0a:05 ether daddr 02:42:29:21:39:06 ip saddr 172.25.10.5 ip daddr 192.168.1.134 ip dscp cs6 ip ecn not-ect ip ttl 63 ip id 38372 ip protocol udp ip length 328 udp sport 67 udp dport 68 udp length 308 @th,64,96 0x2010600e7f4d81b000d0000
trace id a119cb52 inet filter forward rule meta nftrace set 1 (verdict continue)
trace id a119cb52 inet filter forward verdict continue
trace id a119cb52 inet filter forward policy accept
trace id a119cb52 inet customblock block packet: iif "br-a039f83f0bc5" oif "enp1s0.10" ether saddr 02:42:ac:19:0a:05 ether daddr 02:42:29:21:39:06 ip saddr 172.25.10.5 ip daddr 192.168.1.134 ip dscp cs6 ip ecn not-ect ip ttl 63 ip id 38372 ip protocol udp ip length 328 udp sport 67 udp dport 68 udp length 308 @th,64,96 0x2010600e7f4d81b000d0000
trace id a119cb52 inet customblock block verdict continue
trace id a119cb52 inet customblock block policy accept

然而,这只是响应数据包得到的范围;它不会命中任何伪装响应数据包 IP 所需的 NAT 链。我可以在 中看到它,tcpdump -i br-a039f83f0bc5 port 67 and port 68 or arp -nne但在 中看不到tcpdump -i enp1s0.10 -nn port 67 or port 68

作为信息,我的postrouting是:

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        
        meta nftrace set 1
        iifname "br-a039f83f0bc5" oifname "enp1s0.10" masquerade;
        oifname "ppp0" masquerade;

    }

netfilter 文档状态:

  1. NF_STOLEN:我已经接管了数据包;不要继续遍历。

我想知道这是否也会对响应数据包产生影响?

如何使响应数据包像往常一样遍历 netfilter?谢谢

相关内容