Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

migrating to nftables and changing TTL of packets

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
quack75
Posts: 5
Joined: 2019-07-14 16:44

migrating to nftables and changing TTL of packets

#1 Post by quack75 »

Hi,

I'm planning a migration to nftables.

in my current iptables rules, I have the following rule:

Code: Select all

iptables -t mangle -A PREROUTING -i eth0 -d 239.255.255.250 -j TTL --ttl-inc 1
This rule is useful to route multicast UPnP traffic. Basically it is just here to prevent the TTL to be decremented for these packets.
I spent many hours to try to build an equivalent rule with nftables, but so far I haven't found any solution.

I may have found how to SET the ttl value using a rule like this:

Code: Select all

nft add rule inet filter input ip ttl set 123
but:
1- I'm not sure it will work
2- it doesn't do exactly what I need to do, which is INCREMENT the TTL by 1

Can someone help me ?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: migrating to nftables and changing TTL of packets

#2 Post by Head_on_a_Stick »

If you're using Debian buster then you can carry on using your iptables rules, they will be translated for the nftables backend: https://www.debian.org/releases/stable/ ... l#nftables
deadbang

quack75
Posts: 5
Joined: 2019-07-14 16:44

Re: migrating to nftables and changing TTL of packets

#3 Post by quack75 »

yes I know that but I would like to move forward and use nftables

quack75
Posts: 5
Joined: 2019-07-14 16:44

Re: migrating to nftables and changing TTL of packets

#4 Post by quack75 »

anyone ?
I can't imagine such a simple action is not supported by nftables yet ?

quack75
Posts: 5
Joined: 2019-07-14 16:44

Re: migrating to nftables and changing TTL of packets

#5 Post by quack75 »

it really seems that this is not supported by nftables (yet ?)

Really disappointing !

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: migrating to nftables and changing TTL of packets

#6 Post by CwF »

hmmm, removing iptables also currently breaks libvirt...

quack75
Posts: 5
Joined: 2019-07-14 16:44

Re: migrating to nftables and changing TTL of packets

#7 Post by quack75 »

Any news on this ?

User avatar
fabien
Forum Helper
Forum Helper
Posts: 604
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 60 times
Been thanked: 141 times

Re: migrating to nftables and changing TTL of packets

#8 Post by fabien »

From here: https://forum.openwrt.org/t/nft-rule-fo ... ing/147697
Not supported today in nftables.
But maybe a hope here, albeit rather sibylline, for me at least:
https://www.spinics.net/lists/netfilter/msg59209.html
> I see that you can *set* the ttl, something like:
>
> nft add rule inet mytable mychain ip ttl set 2
>
> but I don't see how I could do something like decrement the ttl by 4 or
> basically do anything where you'd calculate the TTL as a function of its
> current value.
>
> In general calculating simple arithmetic in order to manipulate fields isn't
> necessarily obvious in nftables. Any pointers?
>
>

You are able to make arbitrary changes via a netfilter_queue (nfq) program: send
packets that you wish to manipulate to a QUEUE. Unlike with xtables, in nft this
is not a final verdict: other chains in the same table will see the packet after
manipulation as long as they run at a lower priority than the chain that did the
queuing. (I.e. as long as the nfq program accepts the packet).

vmspike
Posts: 1
Joined: 2023-09-13 10:48
Been thanked: 1 time

Re: migrating to nftables and changing TTL of packets

#9 Post by vmspike »

A bit verbose but efficient enough workaround can be applied using vmap (since TTL is only 1 byte field)
Basic skeleton:

Code: Select all

table ip mangle {
    map ttli {
        typeof ip ttl : verdict;
        flags constant;
        elements = {
            0: jump ttli0,
            1: jump ttli1,
            ...
            254: jump ttli254
        }
    }
    chain ttli0 { ip ttl set 1; }
    chain ttli1 { ip ttl set 2; }
    ...
    chain ttli254 { ip ttl set 255; }

    chain postrouting {
        type filter hook postrouting priority mangle; policy accept;
    }
}
Example rule:

Code: Select all

nft add rule ip mangle postrouting ... ip ttl vmap @ttli
Better than queue to userspace.

Tried to use regular map directly (like in nat rules), but seems it's not supported either (at least failed to find proper syntax):

Code: Select all

nft 'add rule ip mangle postrouting ... ip ttl set to ip ttl map { 64: 65, 63: 64 }'  # Syntax error

Post Reply