netfilter buglog - Feb 2016 - [Bug 1051] New: nftables DNAT not working

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

            Bug ID: 1051
           Summary: nftables DNAT not working
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: critical
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: andrey.aleksandrovich at googlemail.com

Hi,
The issue is simple, `table nat` with prerouting hooks does not receive
appropriate traffic.
Here is config commands (1.2.3.4 is just a placeholder for the address actually
used here):

# nft add table inet filter
# nft add chain inet filter input { type filter hook input priority 0 \; policy
drop\; }
# nft add rule inet filter input ct state invalid counter drop
# nft add rule inet filter input ct state {established, related} counter accept
# nft add rule inet filter input tcp dport 8080 counter accept
# nft add chain inet filter forward { type filter hook forward priority 0 \;
policy accept\; }
# nft add rule inet filter forward counter
# nft add chain inet filter output { type filter hook output priority 0 \;
policy accept\; }
# nft add rule inet filter output counter
# nft add table nat
# nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
# nft add rule nat prerouting ip daddr 1.2.3.4 tcp dport 80 counter dnat
1.2.3.4:8080
# nft add chain nat postrouting { type nat hook postrouting priority 0 \; }

But the traffic doesn't redirect to 8080 (there is 0 bytes/packets)
# nft list table nat -a -nn
table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                ip daddr 1.2.3.4 tcp dport 80 counter packets 0 bytes 0 dnat
1.2.3.4:8080 # handle 3
        }

        chain postrouting {
                type nat hook postrouting priority 0; policy accept;
        }
}

I've searched solution over the net, and find out that it affects not only
me:
https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1503695
http://www.spinics.net/lists/netfilter/msg56390.html
http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.general/48283

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160228/1818acd5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #1 from Andrey <andrey.aleksandrovich at googlemail.com> ---
nftables v0.5 (Support Edward Snowden)
Kernel 4.4.3-hardened-r4-gnu

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160228/131cd96d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I cannot reproduce this here.

Is the iptable_nat module loaded there?

Please, provide a bit more context on your setup, eg. Are you using this from
bridge or router?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160516/6f64dc2a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I cannot reproduce this here.

Is the iptable_nat module loaded there?

Please, provide a bit more context on your setup, eg. Are you using this from
bridge or router?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160516/3ebc54dc/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #4 from Andrey <andrey.aleksandrovich at googlemail.com> ---
Well, yes, there were some mixings of iptables/nftables options in the kernel
config. I have disabled all related to iptables and enabled
CONFIG_NFT_CHAIN_NAT_IPV4 (I've missed it at that time). So it's working
now,
but some issues is still there.

First. It didn't return eny error when I was adding nat rules while
CONFIG_NFT_CHAIN_NAT_IPV4 was disabled.

Second. I was playing only with 80 and 8080 ports. And now, AFAICS, it
doesn't
distinguish them by default (it falls back to 'http' value). It looks
like
this:
The router machine has apache servise installed (nftables are also there),
it's
internal address is 192.168.0.1. When I'm trying to enter to
http://192.168.0.1:80 from my client machine (192.168.0.2) I see
"Welcome"
page.
If I try to:
nft add rule nat prerouting ip daddr 192.168.0.1 tcp dport 8080 redirect to 80
and then try to enter to http://192.168.0.1:8080 it returns that page is not
available.
BUT, when I use 58080 (instead of 8080):
nft add rule nat prerouting ip daddr 192.168.0.1 tcp dport 58080 redirect to 80
the http://192.168.0.1:58080 returns "Welcome" again.
At the tab list ('nft list table nat -a -nn') I also saw 591 port (which
I set
nowhere). 

So, I think it must respect port number, and not fall back to it's
designation
(to avoid port number mixing).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160517/f0c77d69/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #5 from Andrey <andrey.aleksandrovich at googlemail.com> ---
Another sample - same issue.
I have the application listening on port 65525, but announces that it listens
on 80.
If I do this:
# nft add rule nat prerouting ip daddr 1.2.3.4 tcp dport 80 redirect to 65525
the application returns me that 1.2.3.4:80 is not reachable from outside
(application log entry, that reports response from remote host). Same, if there
will be 443 instead of 80.
While the rule for DNS redirect (for internal networks):
# nft add rule nat prerouting ip daddr 192.168.0.1 udp dport 53 dnat 8.8.8.8:53
is working well.

So, that's it.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160526/00e41036/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Are you using nft git at current HEAD?

We have already this bugfix applied:

http://git.netfilter.org/nftables/commit/?id=878b97fc251a09c12db489c32b87bf33aa5aa81b

So please, give a try to nft and let us know. Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160526/2c4ca251/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #7 from Andrey <andrey.aleksandrovich at googlemail.com> ---
(In reply to Pablo Neira Ayuso from comment #6)
> Are you using nft git at current HEAD?
> 
> We have already this bugfix applied:
> 
> http://git.netfilter.org/nftables/commit/
> ?id=878b97fc251a09c12db489c32b87bf33aa5aa81b
No, I'm using the package from my system (Gentoo) package manager (it gets
the
source code by this link:
http://git.netfilter.org/nftables/snapshot/v0.5.tar.gz). 
AFAICS at http://netfilter.org/projects/nftables/downloads.html, that snapshot
has earlier date than the bugfix you are mentioned.
It would be good if you would make new snapshot. I would try it surely. I
don't
want to install any staff in my system not through the package manager.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160526/3bc0a04c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

--- Comment #8 from Andrey <andrey.aleksandrovich at googlemail.com> ---
All right! 0.6 is working.
Thanks a lot :)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160604/6f1028b3/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1051

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Closing, thanks for confirming.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/a44a0bf4/attachment.html>