<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - masquerade fully broken when no prerouting chain is created"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1105">1105</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>masquerade fully broken when no prerouting chain is created
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>other
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>kernel
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>s1410239008@students.fh-hagenberg.at
</td>
</tr></table>
<p>
<div>
<pre>When no prerouting hook is created, the packets will be able to pass though the
machine outside but the answers will not be redirected to the original source.
So if I ping from a lxc container to an IP like 8.8.8.8 the packet will pass
with the source IP of the host but the answers are not forwarded back.
Creating an empty prerouting chain with its hook solved the issue.
My NAT rules are:
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
oifname eth0 masquerade
}
}
Kernel: 4.8.13-1-ARCH
Version: nftables 1:0.6-3
Distribution: ArchLinux</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>