Nftables rules for duplicating all traffic to network hub with IDS

antoninchadima · December 20, 2024, 9:28am

Hello,
I need advice on how to add an nftables rule to duplicate all traffic to a network hub with IDS Suricata.
And how to make this rule persistent even after reboot?

In Proxmox I have a linux network bridge with bridge_ageing 0.
In the virtual machine Suricata runs at the address 172.19.0.150
In OpenWRT/TOS I have device eth3 → interface ids (172.19.0.148/24) → firewall zone ids (input accept, output accept, forward reject) - is this necessary?

In iptables I used tee and the corresponding kernel module, which needed to be installed…
Do I need to install kmod-nft-dup-inet or kmod-nf-dup-inet for nftables?

I tried to translate the iptables rule using iptables-translate, but in vain.
I admit that I don't understand nftables at all.
Should I create another table for the duplication rule?
Or add the rules to the fw4 main table?
Add the rule to prerouting or postrouting?

My attempt ended with this error message:

nft add rule inet fw4 postrouting counter dup to 172.19.0.150
Error: unsupported family
add rule inet fw4 postrouting counter dup to 172.19.0.150
^^^^^^^^^^^^^^^^^^^

PS: I could just duplicate lan or wan (endless arguments about what to pre-assign to Suricate, whether wan or lan or both…)

brada4 · December 20, 2024, 9:57am

Check "nft lisst ruleset" for valid chain names, or create full hook yourself.

brada4 · December 20, 2024, 10:54am

Port mirroring is achieved via tc mirred on DSA or via checkboxes on best swconfig switches.
nftables unless one uses ingress/egress will duplicate part-demuxed like defragmented packets at raw hooks and out of order.

antoninchadima · December 23, 2024, 7:58am

Hi @brada4
I have heard about the duplicate and out of order packets, if using nftables dup, and it seems logical.

There are no switches in this OpenWRT router involved. It is a x86-64 virtual sever with VirtIO virtualized network cards (the hardware behind them are 25Gbps network cards).

Should i try to bridge for example the lan interface and the ids interface and set this bridge in Openwrt as Ageing time 0 (Advanced device options)?
So it would act as a network hub?

Or is there another option for duplicating all traffic to another device when there is no switch involved? Thank's in advance.

brada4 · December 23, 2024, 8:33am

inet table including fw4 doesnot attach to bridges.

If you want to duplicate like 1st megabyte of connection:
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering

otherwise tc mirred

antoninchadima · December 23, 2024, 10:01am

ok,

tc and tc mirred is not useful in this case,
because there is no DSA switch and this command is for configuring the switch...
(only network cards... no switch)

pavelgl · December 23, 2024, 11:24am

Yes.

Try this:

nft add table ip mangle
nft add chain ip mangle prerouting '{type filter hook prerouting priority mangle; policy accept; }'
nft add rule ip mangle prerouting counter dup to 172.19.0.150

If it works for you, here is an example of how to make the new table permanent.