nftables - 대상 MAC을 설정하고 계속 ARP 요청을 보냅니다.

nftables - 대상 MAC을 설정하고 계속 ARP 요청을 보냅니다.

그래요노력하다개인 Docker 브리지 뒤에서 DHCP 서버를 실행합니다.

이제 DHCPDISCOVER브로드캐스트 패킷을 Docker 브리지 뒤에 있는 DHCP 서버로 다시 라우팅하고 DHCP가 응답하도록 할 수 있습니다 DHCPOFFER.

table netdev filterearly {
    chain ingress {
        type filter hook ingress device enp1s0.10 priority -500; policy accept;
            ether daddr ff:ff:ff:ff:ff:ff udp sport 68 ip daddr 255.255.255.255 ether daddr set a0:ce:c8:ef:42:64 ip saddr set 192.168.1.0 ip daddr set 172.25.10.5 meta pkttype set host;
    }
}
root@debian:~# tcpdump -i br-a039f83f0bc5 port 67 and port 68 or arp -nne
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-a039f83f0bc5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:47:48.520078 02:42:b6:0c:71:65 > 02:42:ac:19:0a:05, ethertype IPv4 (0x0800), length 342: 192.168.1.0.68 > 172.25.10.5.67: BOOTP/DHCP, Request from 08:00:27:b7:6d:8e, length 300
08:47:51.528778 02:42:ac:19:0a:05 > 02:42:b6:0c:71:65, ethertype IPv4 (0x0800), length 342: 172.25.10.5.67 > 192.168.1.144.68: BOOTP/DHCP, Reply, length 300

그러나 시스템이 계속 ARP 요청을 보내므로 DHCPOFFER인터페이스에서 벗어나지는 않습니다.

root@debian:~# tcpdump -i enp1s0.10 port 67 and port 68 or arp -nne
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:46:12.556651 08:00:27:b7:6d:8e > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 08:00:27:b7:6d:8e, length 300
08:46:12.557763 f0:2f:74:2d:28:88 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.144 tell 192.168.1.1, length 28
08:46:13.577352 f0:2f:74:2d:28:88 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.144 tell 192.168.1.1, length 28

이 문제를 해결하기 위해 CHADDR필드에서 대상 MAC 주소를 설정했습니다.DHCPOFFER:

table inet mangle {
    chain postrouting {
        type filter hook postrouting priority 50;
        udp sport 67 @ll,0,48 set @th,288,48;   
    }       
}

그럼에도 불구하고 ARP 요청은 계속 전송되고 있습니다.

그림에서 nft monitor trace나는 순회가 끝나면 패킷이 도착한다는 것을 알 수 있는데 inet nat postrouting, 이는 대략 ARP 조회가 시작되는 때입니다.

...
trace id 537265a7 inet filter forward packet: iif "br-a039f83f0bc5" oif "enp1s0.10" ether saddr 02:42:ac:19:0a:05 ether daddr 02:42:b6:0c:71:65 ip saddr 172.25.10.5 ip daddr 192.168.1.144 ip dscp cs6 ip ecn not-ect ip ttl 63 ip id 53344 ip protocol udp ip length 328 udp sport 67 udp dport 68 udp length 308 @th,64,96 0x2010600fc731d6f00000000 
trace id 537265a7 inet filter forward rule meta nftrace set 1 (verdict continue)
trace id 537265a7 inet filter forward verdict continue 
trace id 537265a7 inet filter forward policy accept 
trace id 537265a7 inet mangle postrouting packet: iif "br-a039f83f0bc5" oif "enp1s0.10" ether saddr 02:42:ac:19:0a:05 ether daddr 08:00:27:b7:6d:8e ip saddr 172.25.10.5 ip daddr 192.168.1.144 ip dscp cs6 ip ecn not-ect ip ttl 63 ip id 53344 ip protocol udp ip length 328 udp sport 67 udp dport 68 udp length 308 @th,64,96 0x2010600fc731d6f00000000 
trace id 537265a7 inet mangle postrouting rule udp sport 67 @ll,0,48 set @th,288,48 (verdict continue)
trace id 537265a7 inet mangle postrouting verdict continue 
trace id 537265a7 inet mangle postrouting policy accept 
trace id 537265a7 inet nat postrouting packet: iif "br-a039f83f0bc5" oif "enp1s0.10" ether saddr 02:42:ac:19:0a:05 ether daddr 08:00:27:b7:6d:8e ip saddr 172.25.10.5 ip daddr 192.168.1.144 ip dscp cs6 ip ecn not-ect ip ttl 63 ip id 53344 ip protocol udp ip length 328 udp sport 67 udp dport 68 udp length 308 @th,64,96 0x2010600fc731d6f00000000 
trace id 537265a7 inet nat postrouting rule meta nftrace set 1 (verdict continue)
trace id 537265a7 inet nat postrouting rule iifname "br-a039f83f0bc5" oifname "enp1s0.10" masquerade (verdict accept)

netfilter에게 ARP를 수행하지 않고 현재 헤더 정보와 함께 패킷을 보내도록 지시하는 방법이 있습니까?

감사해요

관련 정보