Duplicating packets: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Since Linux kernel 4.3, you can duplicate packets to another destination from the ''ip'' and ''ip6'' families. You may want to use this feature to address this traffic to anot...") |
(Edited for clarity.) |
||
Line 1: | Line 1: | ||
Since Linux kernel 4.3, you can duplicate packets to another destination | Since Linux kernel 4.3, you can duplicate packets to another IPv4 or IPv6 destination address. You may want to use this feature to copy selected traffic from the local system to a remote host for further inspection. | ||
The following rule duplicates all traffic to 172.20.0.2: | The following rule duplicates all traffic to 172.20.0.2: | ||
Line 13: | Line 13: | ||
</source> | </source> | ||
The above rule specifies that the duplicated packets must leave the system via interface ''eth1''. Your system must have a route to reach 172.20.0.2 via eth1 for this to work. | |||
You can also combine the dup statement with [[maps]] | You can also combine the dup statement with [[maps]]. For example: | ||
<source lang="bash"> | <source lang="bash"> | ||
Line 21: | Line 21: | ||
</source> | </source> | ||
This rule send duplicated packets to different remote hosts, depending on the source IPv4 address. |
Latest revision as of 00:30, 17 February 2021
Since Linux kernel 4.3, you can duplicate packets to another IPv4 or IPv6 destination address. You may want to use this feature to copy selected traffic from the local system to a remote host for further inspection.
The following rule duplicates all traffic to 172.20.0.2:
% nft add rule mangle prerouting dup to 172.20.0.2
You can also force the dup statement to use a given device to route traffic from:
% nft add rule mangle prerouting dup to 172.20.0.2 device eth1
The above rule specifies that the duplicated packets must leave the system via interface eth1. Your system must have a route to reach 172.20.0.2 via eth1 for this to work.
You can also combine the dup statement with maps. For example:
% nft add rule mangle prerouting dup to ip saddr map { 192.168.0.1 : 172.20.0.2, 192.168.0.1 : 172.20.0.3 }
This rule send duplicated packets to different remote hosts, depending on the source IPv4 address.