netfilter buglog - May 2018 - [Bug 1255] New: nftables SNAT is not working

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

            Bug ID: 1255
           Summary: nftables SNAT is not working
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: belkin_a at hotmail.com

Set-up:

 1. Linux (tried on LEDE at arm, OpenWrt at arm, Ubuntu16 at x86)
 2. iptables disabled (kernel modules unloaded)
 3. nftables (tried v. 0.8, 0.8.2)
 4. chains and NAT are created according to official nftables wiki
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT):

% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

By this set-up, dnat functions as expected, e.g.:

% nft add rule nat prerouting tcp dport 15000 dnat 192.168.0.50:20000

redirects all incoming TCP packets from port 15000 to 192.168.0.50:20000 and
back.


However, no snat rule is processed (neither rule of):

% nft add rule nat postrouting counter ip saddr 192.168.0.50 snat 1.2.3.4
% nft add rule nat postrouting counter tcp sport 20000 snat 1.2.3.4:1234
% nft add rule nat postrouting counter ip protocol tcp drop

I've tried these rules separately or in variations (oif, ip+tcp, ...) - the
packets are still going through unchanged (proved by WireShark) or not dropped.
Though:

 1. The postrouting chain is processed, since if I remove postrouting chain,
dnat (by prerouting) stops to work (as expected).
 2. Adding a drop rule to input or output chains works.

Any ideas here?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180503/f9790308/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

--- Comment #1 from Andrey Belkin <belkin_a at hotmail.com> ---
 3. Adding chains with `type nat hook input/output` according to
https://marc.info/?l=netfilter&m=152532769025083&w=2 still doesn't
solve the
problem.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180507/136f5f80/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

Andrey Belkin <belkin_a at hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |belkin_a at hotmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180507/13bb8a48/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
What kernel version are you using? it would be good to retry with nftables
0.9.1 (latest release).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/f0ca6018/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

Thomas <tad1073 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tad1073 at gmail.com

--- Comment #3 from Thomas <tad1073 at gmail.com> ---
(In reply to Andrey Belkin from comment #0)
> Set-up:
> 
>  1. Linux (tried on LEDE at arm, OpenWrt at arm, Ubuntu16 at x86)
>  2. iptables disabled (kernel modules unloaded)
>  3. nftables (tried v. 0.8, 0.8.2)
>  4. chains and NAT are created according to official nftables wiki
> https://wiki.nftables.org/wiki-nftables/index.php/
> Performing_Network_Address_Translation_(NAT):
> 
> % nft add table nat
> % nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> % nft add chain nat postrouting { type nat hook postrouting priority 100 \;
}
> 
> By this set-up, dnat functions as expected, e.g.:
> 
> % nft add rule nat prerouting tcp dport 15000 dnat 192.168.0.50:20000
> 
> redirects all incoming TCP packets from port 15000 to 192.168.0.50:20000
and
> back.
> 
> 
> However, no snat rule is processed (neither rule of):
> 
> % nft add rule nat postrouting counter ip saddr 192.168.0.50 snat 1.2.3.4
> % nft add rule nat postrouting counter tcp sport 20000 snat 1.2.3.4:1234
> % nft add rule nat postrouting counter ip protocol tcp drop
> 
> I've tried these rules separately or in variations (oif, ip+tcp, ...) -
the
> packets are still going through unchanged (proved by WireShark) or not
> dropped. Though:
> 
>  1. The postrouting chain is processed, since if I remove postrouting
chain,
> dnat (by prerouting) stops to work (as expected).
>  2. Adding a drop rule to input or output chains works.
> 
> Any ideas here?
If you're copy and pasting that might be the problem.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/51caf584/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

--- Comment #4 from Thomas <tad1073 at gmail.com> ---
nft add rule nat prerouting tcp dport 15000 dnat to 192.168.0.50:20000

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/9b8af105/attachment.html>