tc ... action ct [ nat ] [ zone
ZONE
]
tc ... action ct clear
It can (as shown in the synopsis, in order):
Send the packet to conntrack, and commit the connection, while configuring a 32bit mark, 128bit label, and src/dst nat.
Send the packet to conntrack, which will mark the packet with the connection's state and configured metadata (mark/label), and execute previous configured nat.
Clear the packet's of previous connection tracking state.
Specify src/dst and range of nat to configure for the connection (only valid with commit).
#Add ingress qdisc on eth0 and eth1 interfaces
$ tc qdisc add dev eth0 handle ingress $ tc qdisc add dev eth1 handle ingress #Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection $ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe action goto chain 2 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \ action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe action mirred egress redirect dev eth1 #Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case) $ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe action goto chain 1 $ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe action mirred egress redirect dev eth0
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Yossi Kuperman <yossiku@mellanox.com>