bugzilla-daemon at netfilter.org
2019-Aug-27 18:18 UTC
[Bug 1362] New: iptables translation issues
https://bugzilla.netfilter.org/show_bug.cgi?id=1362
Bug ID: 1362
Summary: iptables translation issues
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: iptables over nftable
Assignee: pablo at netfilter.org
Reporter: arturo at debian.org
Bug originally reported in the Debian tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916918
It probably contains several different issues in the same reports, sorry for
that. But the report contains useful information to reproduce each case anyway.
Original message follows:
bash# iptables-translate -A INPUT -s 0.0.0.0/8 -j DROP
nft add rule ip filter INPUT counter drop
bash#
(ignores source address match to yield a rule that drops everything)
(0.0.0.0/8 != 0.0.0.0/0)
bash# iptables-translate -6 -A protect-re -s 2001:db8:19::/64 -p tcp
--sport 80 -j ACCEPT
nft add rule ip filter protect-re ip6 saddr 2001:db8::ffff:ffff:0:0/0
tcp sport 80 counter accept
bash#
(borks the source address match completely)
The last example is converted correctly by ip6tables-translate. But as I
used to have ipv4 and ipv6 rules in the same file, I'm baffled by why
iptables-restore-translate even tries to convert the ipv6 rules. Surely
it should just skip them?
I also ran into a baffling error message for a rule that uses the
multiport module, and couldn't find a workaround or even what the real
problem was:
iptables-translate-restore v1.8.2 (nf_tables): multiport needs `-p tcp',
`-p udp', `-p udplite', `-p sctp' or `-p dccp'
Here's an attempt to manually translate the line in question:
bash# iptables-translate -4 -A protect-re -m multiport -p udp -s
10.0.0.0/24 --ports 161,514 -j ACCEPT
nft # -4 -A protect-re -m multiport -p udp -s 10.0.0.0/24 --ports
161,514 -j ACCEPT
bash#
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190827/1d2bcfd3/attachment.html>
Possibly Parallel Threads
- [Bug 1335] New: iptables-restore will crash if -6 rules are present
- [Bug 1233] New: Problem with import of small iptables rule sets with multiport match
- [Bug 1348] New: v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
- [Bug 1448] New: SNAT/DNAT/Masquerading not working for UDPLite protocol
- [Bug 1412] New: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6"
Wisdom of the Ancients
