netfilter buglog - Jul 2023 - [Bug 1501] issue with DNAT port range

https://bugzilla.netfilter.org/show_bug.cgi?id=1501

--- Comment #9 from Phil Sutter <phil at nwl.cc> ---
(In reply to marco.drummer from comment #8)
> (In reply to Phil Sutter from comment #7)
> 
> I am currently using iptables v1.8.7 (nf_tables) on Ubuntu 22.04.2 LTS
> 
> Almost all of my rules are converted to nft to make use of the advantages
> and simplifications in syntax.
> 
> However since shifted port ranges are still not available I still have a
> single rule that is being applied by iptables_nft
> 
> > What performance and compatibility drawbacks are you talking about in
> > particular?
> 
> 
> Nftables are generally "advertised" as being faster than the old
xtables
> kernel structures, which together with being pushed away from legacy
> iptables by more and more distributions is why I did this.
Ah, I wasn't aware you're actively mixing iptables-nft and nft to create
your
ruleset. This certainly explains the "compatibility drawbacks"
you're
experiencing. Which is certainly no surprise.
> > Why would iptables not print anything? Any rule created with
iptables-nft
> > will
> > be listed correctly by iptables-nft(-save).
> > 
> > Cheers, Phil
> 
> At the moment nft list ruleset prints: 
> 
>         chain PREROUTING {
>                 meta l4proto tcp tcp dport 5500-5600 counter packets 14219
> bytes 579188 dnat to 10.212.0.1:21500-21600;5500
>         }
> 
> This rule was set by iptables-nft since nft does not support it.
> However if newer versions of nft will no longer print this since it is
> essentially wrong syntax I have no means to see that rule is active
> since iptables-nft refuses to print any output:
> 
> iptables v1.8.7 (nf_tables): table `nat' is incompatible, use
'nft' tool.
You might avoid this by creating a custom chain to hold the iptables-nft rule
and listing it using 'iptables -t nat -S <chain>'. Due to reduced
caching,
iptables should not see the tables' other chains then.

Though you'll get a rough idea from nft listing, too. It merely doesn't
print a
translation but something like 'xt target DNAT'.
> You will probably tell me that mixing nft and iptables is the issue and I
> agree, but more and more distributions are finding ways to force people
> towards nft, but things like shifted port ranges are still not available.
> So either this interoperability has to keep working without silently
> dropping non-parsable rules from the nft output or nft tables needs to
> implement missing features.
I agree, but capacities are limited. If you're familiar with nftables code,
feel free to chime in:

- Kernel space is ready AFAICT:
https://lore.kernel.org/netfilter-devel/20230324190419.543888-2-jeremy at
azazel.net/T/
- User space is WiP, it needs support for use of maps:
https://lore.kernel.org/all/20230425195143.GC5944 at celephais.dreamlands/t/

Cheers, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230727/566b275f/attachment.html>