[Bug 1105] New: masquerade fully broken when no prerouting chain is created
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Dec 24 15:04:05 CET 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1105
Bug ID: 1105
Summary: masquerade fully broken when no prerouting chain is
created
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: major
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: s1410239008 at students.fh-hagenberg.at
When no prerouting hook is created, the packets will be able to pass though the
machine outside but the answers will not be redirected to the original source.
So if I ping from a lxc container to an IP like 8.8.8.8 the packet will pass
with the source IP of the host but the answers are not forwarded back.
Creating an empty prerouting chain with its hook solved the issue.
My NAT rules are:
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
oifname eth0 masquerade
}
}
Kernel: 4.8.13-1-ARCH
Version: nftables 1:0.6-3
Distribution: ArchLinux
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161224/cff57c0a/attachment.html>
More information about the netfilter-buglog
mailing list