Skip to content

Instantly share code, notes, and snippets.

@squarooticus

squarooticus/nftables_mdns.conf

Last active January 31, 2024 06:44
Show Gist options
  • Save squarooticus/7b8c6cc5871213db6baa12eb3c01f036 to your computer and use it in GitHub Desktop.
Save squarooticus/7b8c6cc5871213db6baa12eb3c01f036 to your computer and use it in GitHub Desktop.
Download ZIP
Use nftables to repeat mDNS/Bonjour packets across two different interfaces. Works for Google Cast/Chromecast groups!
Raw
nftables_mdns.conf
table ip mangle {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr 224.0.0.251 iif eth3 ip saddr set 192.168.2.1 dup to 224.0.0.251 device eth2 notrack
ip daddr 224.0.0.251 iif eth2 ip saddr set 192.168.3.1 dup to 224.0.0.251 device eth3 notrack
}
}
table ip6 mangle {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip6 daddr ff02::fb iif eth3 ip6 saddr set fd00:0:0:2::1 dup to ff02::fb device eth2 notrack
ip6 daddr ff02::fb iif eth2 ip6 saddr set fd00:0:0:3::1 dup to ff02::fb device eth3 notrack
}
}
@BBaoVanC
Copy link

  • notrack instructs the kernel not to invoke connection tracking for this rule. It might be vestigal; I haven't checked.

If I'm understanding the wiki right, the mangle priority is -150, which is later than conntrack, which is -200.

Also, I can't get this to work. Here is my config:

table ip mdns {
    chain prerouting {
        #type filter hook prerouting priority raw; policy accept;
        type filter hook prerouting priority mangle; policy accept;

        ip daddr 224.0.0.251 meta nftrace set 1

        # repeat mDNS from IoT to main
        ip daddr 224.0.0.251 iif iot ip saddr set 10.0.0.1 dup to 224.0.0.251 device main notrack
        ip daddr 224.0.0.251 iif main ip saddr set 10.0.4.1 dup to 224.0.0.251 device iot notrack
    }
}

I'm seeing no output from nftrace, even if I uncomment the beginning line to change priority higher (to raw). I also don't see anything in Wireshark being repeated. Any ideas what I'm doing wrong, or should I switch to an actual mDNS repeater program?

@BBaoVanC
Copy link

Nevermind, it actually was working but I forgot to allow the regular traffic between VLANs. I didn't see anything in nftrace because the interface was not in promiscuous mode. Here's my working config:

table ip mdns {
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;

        # WARNING: nftrace does not work for this unless you put interface in promiscuous mode or
        # run tcpdump in the background
        # ip l set [iface] promisc [on/off]
        ip daddr 224.0.0.251 jump mdns
    }
    chain mdns {
        # repeat mDNS from IoT to main
        iif iot ip saddr set 10.0.0.1 dup to 224.0.0.251 device main
        iif main ip saddr set 10.0.4.1 dup to 224.0.0.251 device iot
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment