bugzilla-daemon at netfilter.org
2023-Jul-27 11:18 UTC
[Bug 1501] issue with DNAT port range
https://bugzilla.netfilter.org/show_bug.cgi?id=1501 --- Comment #9 from Phil Sutter <phil at nwl.cc> --- (In reply to marco.drummer from comment #8)> (In reply to Phil Sutter from comment #7) > > I am currently using iptables v1.8.7 (nf_tables) on Ubuntu 22.04.2 LTS > > Almost all of my rules are converted to nft to make use of the advantages > and simplifications in syntax. > > However since shifted port ranges are still not available I still have a > single rule that is being applied by iptables_nft > > > What performance and compatibility drawbacks are you talking about in > > particular? > > > Nftables are generally "advertised" as being faster than the old xtables > kernel structures, which together with being pushed away from legacy > iptables by more and more distributions is why I did this.Ah, I wasn't aware you're actively mixing iptables-nft and nft to create your ruleset. This certainly explains the "compatibility drawbacks" you're experiencing. Which is certainly no surprise.> > Why would iptables not print anything? Any rule created with iptables-nft > > will > > be listed correctly by iptables-nft(-save). > > > > Cheers, Phil > > At the moment nft list ruleset prints: > > chain PREROUTING { > meta l4proto tcp tcp dport 5500-5600 counter packets 14219 > bytes 579188 dnat to 10.212.0.1:21500-21600;5500 > } > > This rule was set by iptables-nft since nft does not support it. > However if newer versions of nft will no longer print this since it is > essentially wrong syntax I have no means to see that rule is active > since iptables-nft refuses to print any output: > > iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.You might avoid this by creating a custom chain to hold the iptables-nft rule and listing it using 'iptables -t nat -S <chain>'. Due to reduced caching, iptables should not see the tables' other chains then. Though you'll get a rough idea from nft listing, too. It merely doesn't print a translation but something like 'xt target DNAT'.> You will probably tell me that mixing nft and iptables is the issue and I > agree, but more and more distributions are finding ways to force people > towards nft, but things like shifted port ranges are still not available. > So either this interoperability has to keep working without silently > dropping non-parsable rules from the nft output or nft tables needs to > implement missing features.I agree, but capacities are limited. If you're familiar with nftables code, feel free to chime in: - Kernel space is ready AFAICT: https://lore.kernel.org/netfilter-devel/20230324190419.543888-2-jeremy at azazel.net/T/ - User space is WiP, it needs support for use of maps: https://lore.kernel.org/all/20230425195143.GC5944 at celephais.dreamlands/t/ Cheers, Phil -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230727/566b275f/attachment.html>