How to redirect some packets with nft in vyos without souce nat?

ackema · July 28, 2023, 2:48am

This is my vyos router:

I want to redirect some packets with nft commands:

nft add table inet mangle
nft 'add chain inet mangle janusnat { type nat hook prerouting priority -130; }'
nft add inet mangle janusnat meta mark 2 tcp dport 80 counter redirect to 2061

If I configure source nat in vyos, nft’s redirections works

vyos@vyos# show protocols 
 static {
     route 0.0.0.0/0 {
         next-hop 10.10.193.1 {
         }
     }
 }
[edit]
vyos@vyos# 
[edit]
vyos@vyos# show nat
 source {
     rule 1 {
         outbound-interface eth0
         source {
             address 0.0.0.0/0
         }
         translation {
             address masquerade
         }
     }
 }
[edit]

However, if the vyos does not configure souce nat, packets will bypass my ruleset?

vyos@vyos# show protocols 
 static {
     route 0.0.0.0/0 {
         next-hop 10.10.193.1 {
         }
     }
 }
[edit]
vyos@vyos# 
[edit]
vyos@vyos# show nat
Configuration under specified path is empty
[edit]

How can I make the nft ruleset do redirect without vyos’s source nat?
Thanks

j.landicho · July 28, 2023, 5:06am

Hi!

Which version are you using?

ackema · July 28, 2023, 7:34am

Version: VyOS 1.3-rolling

I find a temporary solution：add a source nat never would be meet, link:

vyos@vyos# show nat 
 source {
     rule 1 {
         outbound-interface eth0
         protocol tcp
         source {
             address 0.0.0.0/32
             port 1
         }
         translation {
             address masquerade
         }
     }
 }

n.fort · July 28, 2023, 10:30am

NAT redirection was recently added in 1.4: ⚓ T4889 Add nftables NAT REDIRECT [to localhost] to CLI

You could achieve this using native vyos commands.