Home / server / Questions / 726764
In Process
gucki
Asked: 2015-10-06 03:10:05 +0800 CST

Migration of ebtables arp rule to nftables

  • 772

I'd like to move to nftables (Ubuntu trusty, kernel 3.19). However I wonder how to migrate ebtables rules for ARP packets:

-p ARP --arp-op Request --arp-ip-src 192.168.178.237 --arp-mac-src 2:fb:c5:e0:ef:a3 -j ACCEPT

The command nft add rule bridge filter qemu1-o arp operation request counter accept works, however I can't figure out how to add the ip/mac contraints to the rule.

iptables

1 Answers

  1. Unfortunately nftables have no implemented syntax for source and destination ipv4 address in arp tables right now.

    Empirically I found out that the next expressions can be used instead:

    • plen 4 @nh,64,32 (source ip)
    • plen 4 @nh,96,32 (destination ip)

    IPv4 address in value should be specified in decimal integer type.

    You can use some online converter for get your IP-address to numeric format.

    In your example 192.168.178.237 will be 3232281325

    So final rule will looks like:

    nft add rule arp filter input arp operation request arp plen 4 @nh,64,32 3232281325 ether saddr 2:fb:c5:e0:ef:a3 counter accept

    PS: You can use xtables-nft-multi from the last iptables package which provides nf_tables compat backend for import your old commands and check the new syntax.

    • 1