bugzilla-daemon at netfilter.org
2019-Aug-27 18:18 UTC
[Bug 1362] New: iptables translation issues
https://bugzilla.netfilter.org/show_bug.cgi?id=1362 Bug ID: 1362 Summary: iptables translation issues Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: iptables over nftable Assignee: pablo at netfilter.org Reporter: arturo at debian.org Bug originally reported in the Debian tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916918 It probably contains several different issues in the same reports, sorry for that. But the report contains useful information to reproduce each case anyway. Original message follows: bash# iptables-translate -A INPUT -s 0.0.0.0/8 -j DROP nft add rule ip filter INPUT counter drop bash# (ignores source address match to yield a rule that drops everything) (0.0.0.0/8 != 0.0.0.0/0) bash# iptables-translate -6 -A protect-re -s 2001:db8:19::/64 -p tcp --sport 80 -j ACCEPT nft add rule ip filter protect-re ip6 saddr 2001:db8::ffff:ffff:0:0/0 tcp sport 80 counter accept bash# (borks the source address match completely) The last example is converted correctly by ip6tables-translate. But as I used to have ipv4 and ipv6 rules in the same file, I'm baffled by why iptables-restore-translate even tries to convert the ipv6 rules. Surely it should just skip them? I also ran into a baffling error message for a rule that uses the multiport module, and couldn't find a workaround or even what the real problem was: iptables-translate-restore v1.8.2 (nf_tables): multiport needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp' Here's an attempt to manually translate the line in question: bash# iptables-translate -4 -A protect-re -m multiport -p udp -s 10.0.0.0/24 --ports 161,514 -j ACCEPT nft # -4 -A protect-re -m multiport -p udp -s 10.0.0.0/24 --ports 161,514 -j ACCEPT bash# -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190827/1d2bcfd3/attachment.html>
Seemingly Similar Threads
- [Bug 1335] New: iptables-restore will crash if -6 rules are present
- [Bug 1233] New: Problem with import of small iptables rule sets with multiport match
- [Bug 1348] New: v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
- [Bug 1448] New: SNAT/DNAT/Masquerading not working for UDPLite protocol
- [Bug 1412] New: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6"