[Bug 1501] issue with DNAT port range
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Jul 27 13:18:45 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1501
--- Comment #9 from Phil Sutter <phil at nwl.cc> ---
(In reply to marco.drummer from comment #8)
> (In reply to Phil Sutter from comment #7)
>
> I am currently using iptables v1.8.7 (nf_tables) on Ubuntu 22.04.2 LTS
>
> Almost all of my rules are converted to nft to make use of the advantages
> and simplifications in syntax.
>
> However since shifted port ranges are still not available I still have a
> single rule that is being applied by iptables_nft
>
> > What performance and compatibility drawbacks are you talking about in
> > particular?
>
>
> Nftables are generally "advertised" as being faster than the old xtables
> kernel structures, which together with being pushed away from legacy
> iptables by more and more distributions is why I did this.
Ah, I wasn't aware you're actively mixing iptables-nft and nft to create your
ruleset. This certainly explains the "compatibility drawbacks" you're
experiencing. Which is certainly no surprise.
> > Why would iptables not print anything? Any rule created with iptables-nft
> > will
> > be listed correctly by iptables-nft(-save).
> >
> > Cheers, Phil
>
> At the moment nft list ruleset prints:
>
> chain PREROUTING {
> meta l4proto tcp tcp dport 5500-5600 counter packets 14219
> bytes 579188 dnat to 10.212.0.1:21500-21600;5500
> }
>
> This rule was set by iptables-nft since nft does not support it.
> However if newer versions of nft will no longer print this since it is
> essentially wrong syntax I have no means to see that rule is active
> since iptables-nft refuses to print any output:
>
> iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.
You might avoid this by creating a custom chain to hold the iptables-nft rule
and listing it using 'iptables -t nat -S <chain>'. Due to reduced caching,
iptables should not see the tables' other chains then.
Though you'll get a rough idea from nft listing, too. It merely doesn't print a
translation but something like 'xt target DNAT'.
> You will probably tell me that mixing nft and iptables is the issue and I
> agree, but more and more distributions are finding ways to force people
> towards nft, but things like shifted port ranges are still not available.
> So either this interoperability has to keep working without silently
> dropping non-parsable rules from the nft output or nft tables needs to
> implement missing features.
I agree, but capacities are limited. If you're familiar with nftables code,
feel free to chime in:
- Kernel space is ready AFAICT:
https://lore.kernel.org/netfilter-devel/20230324190419.543888-2-jeremy@azazel.net/T/
- User space is WiP, it needs support for use of maps:
https://lore.kernel.org/all/20230425195143.GC5944@celephais.dreamlands/t/
Cheers, Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230727/566b275f/attachment.html>
More information about the netfilter-buglog
mailing list