bugzilla-daemon at netfilter.org
2018-Jan-10 12:34 UTC
[Bug 1213] New: Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213
Bug ID: 1213
Summary: Nft stateless NAT (NOTRACK)
Product: nftables
Version: unspecified
Hardware: All
OS: Ubuntu
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: mskim128 at gmail.com
I use Ubuntu 17.10 (nftables 0.8, kernel 4.13)
NOTRACK is used to turn off connection tracking for all packets matching this
rule. For example, in iptables:
iptables -t raw -I PREROUTING -j NOTRACK
I'd like to use stateless NAT (1:1)instead of iptables.
nft add table NAT
nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; }
nft add chain NAT postrouting {type nat hook postrouting priority - 300 \; }
nft add rule NAT prerouting counter
nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter
nft add rule NAT prerouting counter
The counter value of prerouting is zero.
table ip NAT{
chain prerouting {
counter packets 0 bytes 0
ip daddr 192.168.204.60 notrack counter packets 0 bytes 0
counter packets 0 bytes 0
}
Thanks,
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180110/bbf7793e/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jan-12 06:16 UTC
[Bug 1213] Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213
Myeongsu Kim <mskim128 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mskim128 at gmail.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180112/7204cef2/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-02 00:00 UTC
[Bug 1213] Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |fw at strlen.de,
| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Myeongsu Kim from comment #0)> I use Ubuntu 17.10 (nftables 0.8, kernel 4.13)
>
> NOTRACK is used to turn off connection tracking for all packets matching
this
> rule. For example, in iptables:
>
> iptables -t raw -I PREROUTING -j NOTRACK
>
>
> I'd like to use stateless NAT (1:1)instead of iptables.
>
> nft add table NAT
> nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; }
> nft add chain NAT postrouting {type nat hook postrouting priority - 300 \;
}
> nft add rule NAT prerouting counter
> nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter
> nft add rule NAT prerouting counter
>
> The counter value of prerouting is zero.
>
> table ip NAT{
> chain prerouting {
> counter packets 0 bytes 0
> ip daddr 192.168.204.60 notrack counter packets 0 bytes 0
> counter packets 0 bytes 0
> }
>
> Thanks,
(In reply to Myeongsu Kim from comment #0)> I use Ubuntu 17.10 (nftables 0.8, kernel 4.13)
>
> NOTRACK is used to turn off connection tracking for all packets matching
this
> rule. For example, in iptables:
>
> iptables -t raw -I PREROUTING -j NOTRACK
>
>
> I'd like to use stateless NAT (1:1)instead of iptables.
You can already do stateless NAT (1:1), eg.
nft add rule x y ip saddr 192.168.204.60 ip daddr set 192.168.203.21
nat chains are only there for stateful nat, so you can just use a filter chain
instead.
> nft add table NAT
> nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; }
> nft add chain NAT postrouting {type nat hook postrouting priority - 300 \;
}
> nft add rule NAT prerouting counter
> nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter
> nft add rule NAT prerouting counter
>
> The counter value of prerouting is zero.
Right, this is a bug. We need a kernel fix for this: Basically, we need to
register conntrack if there's a NAT chain in place.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180202/85e6f1d5/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-08 05:06 UTC
[Bug 1213] Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213 --- Comment #2 from Myeongsu Kim <mskim128 at gmail.com> --- I use a filter chain. It works. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180208/5c01ba28/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-22 19:50 UTC
[Bug 1213] Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213
Shane <arlenslambert at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |arlenslambert at gmail.com
Alias| |mailto:mskim128 at gmai
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180422/d08a7522/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-23 18:26 UTC
[Bug 1213] Nft stateless NAT (NOTRACK)
https://bugzilla.netfilter.org/show_bug.cgi?id=1213
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Regarding:
> nft add table NAT
> nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; }
> nft add chain NAT postrouting {type nat hook postrouting priority - 300 \;
}
> nft add rule NAT prerouting counter
> nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter
> nft add rule NAT prerouting counter
>
> The counter value of prerouting is zero.
For the record, now nf_tables loads conntrack if a NAT chain gets registered,
which is one of the problems that was also reported in this bug report.
commit 43a605f2f722b6e08addedae8545b490fca252c4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Mar 27 11:53:08 2018 +0200
netfilter: nf_tables: enable conntrack if NAT chain is registered
Closing. Thanks for reporting.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180423/0b472832/attachment.html>
Apparently Analagous Threads
- [Bug 1410] New: STATELESS, rules with notrack into a map
- [Bug 1422] New: iptables-nft fails to check / delete rules in raw table
- [Bug 1065] New: NOTRACK is not supported in nft
- [Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2
- [Bug 1310] New: syntax issue with tproxy