<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - issue with DNAT port range"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1501#c9">Comment # 9</a>
on <a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - issue with DNAT port range"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1501">bug 1501</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>(In reply to marco.drummer from <a href="show_bug.cgi?id=1501#c8">comment #8</a>)
<span class="quote">> (In reply to Phil Sutter from <a href="show_bug.cgi?id=1501#c7">comment #7</a>)
>
> I am currently using iptables v1.8.7 (nf_tables) on Ubuntu 22.04.2 LTS
>
> Almost all of my rules are converted to nft to make use of the advantages
> and simplifications in syntax.
>
> However since shifted port ranges are still not available I still have a
> single rule that is being applied by iptables_nft
>
> > What performance and compatibility drawbacks are you talking about in
> > particular?
>
>
> Nftables are generally "advertised" as being faster than the old xtables
> kernel structures, which together with being pushed away from legacy
> iptables by more and more distributions is why I did this.</span >
Ah, I wasn't aware you're actively mixing iptables-nft and nft to create your
ruleset. This certainly explains the "compatibility drawbacks" you're
experiencing. Which is certainly no surprise.
<span class="quote">> > Why would iptables not print anything? Any rule created with iptables-nft
> > will
> > be listed correctly by iptables-nft(-save).
> >
> > Cheers, Phil
>
> At the moment nft list ruleset prints:
>
> chain PREROUTING {
> meta l4proto tcp tcp dport 5500-5600 counter packets 14219
> bytes 579188 dnat to 10.212.0.1:21500-21600;5500
> }
>
> This rule was set by iptables-nft since nft does not support it.
> However if newer versions of nft will no longer print this since it is
> essentially wrong syntax I have no means to see that rule is active
> since iptables-nft refuses to print any output:
>
> iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.</span >
You might avoid this by creating a custom chain to hold the iptables-nft rule
and listing it using 'iptables -t nat -S <chain>'. Due to reduced caching,
iptables should not see the tables' other chains then.
Though you'll get a rough idea from nft listing, too. It merely doesn't print a
translation but something like 'xt target DNAT'.
<span class="quote">> You will probably tell me that mixing nft and iptables is the issue and I
> agree, but more and more distributions are finding ways to force people
> towards nft, but things like shifted port ranges are still not available.
> So either this interoperability has to keep working without silently
> dropping non-parsable rules from the nft output or nft tables needs to
> implement missing features.</span >
I agree, but capacities are limited. If you're familiar with nftables code,
feel free to chime in:
- Kernel space is ready AFAICT:
<a href="https://lore.kernel.org/netfilter-devel/20230324190419.543888-2-jeremy@azazel.net/T/">https://lore.kernel.org/netfilter-devel/20230324190419.543888-2-jeremy@azazel.net/T/</a>
- User space is WiP, it needs support for use of maps:
<a href="https://lore.kernel.org/all/20230425195143.GC5944@celephais.dreamlands/t/">https://lore.kernel.org/all/20230425195143.GC5944@celephais.dreamlands/t/</a>
Cheers, Phil</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>