0

I have been experimenting with using tc, tc-nat and tc-pedit to perform stateless nat operations. My goal is to mirror packets from one interface (eth0) to another (eth1), but I also want to change the destination IP, and destination MAC, so the packets can be delivered to another host.

Host A [Eth0 - > Eth1 (change IP dst, change MAC dst)] -------> HOST B

Because I have other applications listening on Eth0, I can't perform either tc-nat or tc-pedit on the ingress/egress on Eth0. So this is what I did

  1. Create a dummy interface
  2. Mirror packets from Eth0 to dummy interface
  3. Run tc-nat (to change destination IP) on egress side of dummy, pipe into tc-pedit (to change destination MAC), and pipe to mirror to Eth1.

The above contraption works as expected, but the performance is terrible (particularly when compared to a libpcap based application such as tcpbridge).

I started this approach hoping to achieve better performance in kernel space vs libpcap based application in user space. I'm curious is there a better way.

user2066671
  • 177
  • 4
  • 16
  • It might be helpful to better explain what you are trying to accomplish. For example, why can't you just change the IP address on ingress and then let normal packet processing route the packet and set the mac addresses and just apply the nat on egress? – JimD. May 11 '17 at 07:12
  • I'm trying to create a tap solution using nat, so packets can't be altered on ingress since there are client/server applications active. The only other possibility I found and haven't tried is to mirror to a iptables entry, where NAT is performed. – user2066671 May 11 '17 at 13:51
  • I'm having a hard time understanding what you are trying to do. You have some frames coming in on eth0 and some applications that are processing some/all? of them. You then want to mirror all? the frames to eth1 and change mac addresses ip adresses and then **NAT**. So it seems like you want the frames mirrored to eth1 to be routable, and also, because of the NAT you want some app to process the frames and respond. If you want a local app to process and also want to mirror the frames to another app that also will process the frames that is pretty unusual. – JimD. May 11 '17 at 14:42
  • So, to be clear, why do you need the NAT? – JimD. May 11 '17 at 14:50
  • Unusual it is, but that is precisely my use case. Basically, I want to mirror packets to somewhere else while not disturbing the application stack. Because I'm doing this in a virtual environment, I need to NAT it to route it to the destination. – user2066671 May 11 '17 at 20:35
  • I still don't understand why you need to NAT. If you essentially SPAN traffic to another interface, why do you need to NAT? Maybe the receiving interface has reverse path forwarding enabled? – JimD. May 12 '17 at 13:22
  • Yes, and also, because i cant use ip forwarding and tunnel encapsulation since those are customer application environment. – user2066671 May 12 '17 at 20:00
  • So fine it is a client environment where you don't have full control, but spanning everything arriving on eth0 to eth1 with a nat sounds risky. Pings, TCP syns, routing protocols, etc, could get a response from the traffic sent out eth1 which is probably not what you want (or maybe it is). – JimD. May 13 '17 at 12:44

0 Answers0