[Bug 1748] New: nft masquerade commands make table nat unreadable by iptables-nft

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Apr 18 11:14:12 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1748

            Bug ID: 1748
           Summary: nft masquerade commands make table nat unreadable by
                    iptables-nft
           Product: iptables
           Version: git (please indicate commit ID)
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: ts at ferncast.de

Hi,

If I inject a masquerade rule into the nat table by nft I cannot read the
table with iptables-nft (git hash 8bf2bab8eb2e4f5ae2fef859ea7c877662854101 and
also older versions like 1.8.9) anymore till I delete this single rule with nft
tool.

E.g. if I put the below configuration into file postrouting.nft and inject it
via `nft -f postrouting.nft`:
table ip nat {
    chain POSTROUTING {
        oifname != "br-mailcow" ip saddr 172.22.1.0/24 masquerade
    }
}

`iptables -t nat -L` than tells me `iptables v1.8.10 (nf_tables): table `nat'
is incompatible, use 'nft' tool.` If I inject the same rule with iptables-nft,
everything is working fine. I was able to fix this behavior by this patch to
iptables, but I am pretty sure that this is not the right way to do it:

diff --git a/iptables/nft.c b/iptables/nft.c
index 884cc77e..a7086014 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3931,6 +3931,7 @@ static const char *supported_exprs[] = {
        "immediate",
        "lookup",
        "range",
+       "masq",
 };

In my further debugging I found that the rule injected by iptables seems to
have "target" as expression instead of "masq", but this only as a hint for
someone who really knows the code. ;-)

Yesterday morning this "bug" caused a severe problem as libvirt was not able to
read the nat table anymore because I used some nft commands before to insert
some masquerading rules. This also may affect others who update their libvirt
in, e.g., Ubuntu, and have inserted masquerading rules in the nat table via
`nft`.

Best regards,
Thomas

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/3972b950/attachment.html>

More information about the netfilter-buglog mailing list