thr3ads.net - netfilter buglog - [Bug 1501] issue with DNAT port range [Jul 2023]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2023-Jul-27 09:08 UTC

[Bug 1501] issue with DNAT port range

https://bugzilla.netfilter.org/show_bug.cgi?id=1501

--- Comment #8 from marco.drummer at outlook.com ---
(In reply to Phil Sutter from comment #7)

I am currently using iptables v1.8.7 (nf_tables) on Ubuntu 22.04.2 LTS

Almost all of my rules are converted to nft to make use of the advantages and
simplifications in syntax.

However since shifted port ranges are still not available I still have a single
rule that is being applied by iptables_nft
> What performance and compatibility drawbacks are you talking about in
> particular?

Nftables are generally "advertised" as being faster than the old
xtables kernel
structures, which together with being pushed away from legacy iptables by more
and more distributions is why I did this.

> 
> Why would iptables not print anything? Any rule created with iptables-nft
> will
> be listed correctly by iptables-nft(-save).
> 
> Cheers, Phil
At the moment nft list ruleset prints: 

        chain PREROUTING {
                meta l4proto tcp tcp dport 5500-5600 counter packets 14219
bytes 579188 dnat to 10.212.0.1:21500-21600;5500
        }

This rule was set by iptables-nft since nft does not support it.
However if newer versions of nft will no longer print this since it is
essentially wrong syntax I have no means to see that rule is active
since iptables-nft refuses to print any output:

iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft'
tool.



You will probably tell me that mixing nft and iptables is the issue and I
agree, but more and more distributions are finding ways to force people towards
nft, but things like shifted port ranges are still not available.
So either this interoperability has to keep working without silently dropping
non-parsable rules from the nft output or nft tables needs to implement missing
features.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230727/a64f4d2b/attachment.html>

Maybe Matching Threads

Search for more apparently analagous threads

netfilter buglog - Jul 2023 - [Bug 1501] issue with DNAT port range

[Bug 1501] issue with DNAT port range

Maybe Matching Threads

Wisdom of the Ancients