[Bug 1051] nftables DNAT not working
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue May 17 17:12:21 CEST 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1051
--- Comment #4 from Andrey <andrey.aleksandrovich at googlemail.com> ---
Well, yes, there were some mixings of iptables/nftables options in the kernel
config. I have disabled all related to iptables and enabled
CONFIG_NFT_CHAIN_NAT_IPV4 (I've missed it at that time). So it's working now,
but some issues is still there.
First. It didn't return eny error when I was adding nat rules while
CONFIG_NFT_CHAIN_NAT_IPV4 was disabled.
Second. I was playing only with 80 and 8080 ports. And now, AFAICS, it doesn't
distinguish them by default (it falls back to 'http' value). It looks like
this:
The router machine has apache servise installed (nftables are also there), it's
internal address is 192.168.0.1. When I'm trying to enter to
http://192.168.0.1:80 from my client machine (192.168.0.2) I see "Welcome"
page.
If I try to:
nft add rule nat prerouting ip daddr 192.168.0.1 tcp dport 8080 redirect to 80
and then try to enter to http://192.168.0.1:8080 it returns that page is not
available.
BUT, when I use 58080 (instead of 8080):
nft add rule nat prerouting ip daddr 192.168.0.1 tcp dport 58080 redirect to 80
the http://192.168.0.1:58080 returns "Welcome" again.
At the tab list ('nft list table nat -a -nn') I also saw 591 port (which I set
nowhere).
So, I think it must respect port number, and not fall back to it's designation
(to avoid port number mixing).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160517/f0c77d69/attachment.html>
More information about the netfilter-buglog
mailing list