[Bug 1748] nft masquerade commands make table nat unreadable by iptables-nft

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Apr 18 13:27:59 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1748

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |phil at nwl.cc
         Resolution|---                         |INVALID

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to Thomas Schlien from comment #0)
> If I inject a masquerade rule into the nat table by nft I cannot read the
> table with iptables-nft (git hash 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
> and also older versions like 1.8.9) anymore till I delete this single rule
> with nft
> tool.

This is expected behaviour. You should not mix iptables-nft and nft tools when
manipulating the ruleset. Doing so is a good way to shoot one's foot (as you
did).

> E.g. if I put the below configuration into file postrouting.nft and inject it
> via `nft -f postrouting.nft`:
> table ip nat {
>     chain POSTROUTING {
>         oifname != "br-mailcow" ip saddr 172.22.1.0/24 masquerade
>     }
> }
> 
> `iptables -t nat -L` than tells me `iptables v1.8.10 (nf_tables): table
> `nat' is incompatible, use 'nft' tool.` If I inject the same rule with
> iptables-nft, everything is working fine. I was able to fix this behavior by
> this patch to iptables, but I am pretty sure that this is not the right way
> to do it:
> 
> diff --git a/iptables/nft.c b/iptables/nft.c
> index 884cc77e..a7086014 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -3931,6 +3931,7 @@ static const char *supported_exprs[] = {
>         "immediate",
>         "lookup",
>         "range",
> +       "masq",
>  };

This will merely accept the unsupported expression in the rule but the output
is likely incomplete (or even broken).

> In my further debugging I found that the rule injected by iptables seems to
> have "target" as expression instead of "masq", but this only as a hint for
> someone who really knows the code. ;-)

For NAT rules, iptables-nft uses xtables extensions (xt_MASQUERADE.ko) while
nft uses its native code (nft_masq.ko). There are "compat" nftables expressions
named "match" and "target" to call xtables extensions from an nftables rule.

> Yesterday morning this "bug" caused a severe problem as libvirt was not able
> to read the nat table anymore because I used some nft commands before to
> insert some masquerading rules. This also may affect others who update their
> libvirt in, e.g., Ubuntu, and have inserted masquerading rules in the nat
> table via `nft`.

Starting with v1.0.6, nft even warns when listing a ruleset which contains the
compat expressions mentioned above.

Cheers, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/d1a9c435/attachment.html>

More information about the netfilter-buglog mailing list