@sskaje

VyOS Debug PBR & NAT

Written by

sskaje

in

As ROOT.

Keyword: nftrace

Edit VyOS generated NFT files: /run/nftables*.

Enable nftrace on full chain 

table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        meta nftrace set 1
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }
}

Make sure nftrace is enabled before other rules!

Enable nftrace on SINGLE RULE.

table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }

    chain VYOS_PBR_UD_MY_PBR_RULES {
        ip saddr  @A_SRC_HIJACK_MITMPROXY counter meta mark set 2147483628 meta nftrace set 1 return comment "ipv4-route-ROUTE_CLASH_TUN-50"
    }
}

Test & Apply

# Test
nft --check --file /run/nftables_policy.conf
# Apply
nft --file /run/nftables_policy.conf

Monitor

nft monitor trace

Example Result

trace id 0abb78f9 ip vyos_mangle VYOS_PBR_PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_conntrack PREROUTING_HELPER packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip raw VYOS_TCP_MSS packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 inet mangle FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip protocol udp ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_FORWARD_filter packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_ZONE_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip nat VYOS_PRE_SNAT_HOOK packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts