[Bug 1227] New: Current conntrack state isn't considered when evaluating multiple SNAT rules

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Feb 15 14:52:36 CET 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1227

            Bug ID: 1227
           Summary: Current conntrack state isn't considered when
                    evaluating multiple SNAT rules
           Product: netfilter/iptables
           Version: unspecified
          Hardware: All
                OS: other
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: NAT
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: richard at helix.net.nz

If multiple SNAT rules exist with specific sport ranges, only the first
matching entry is evaluated even when the sport range is exhausted.

Example:
root at LEDE:~# iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 127 packets, 8757 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3618  215K postrouting_rule  all  --  *      *       0.0.0.0/0           
0.0.0.0/0            /* !fw3: user chain for postrouting */
    9   616 SNAT       icmp --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 0 */ to:2.127.254.0:1088-1151
 2661  139K SNAT       tcp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 1 */ to:2.127.254.0:1088-1151
  821 66973 SNAT       udp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 2 */ to:2.127.254.0:1088-1151
    0     0 SNAT       icmp --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 3 */ to:2.127.254.0:2112-2175
    0     0 SNAT       tcp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 4 */ to:2.127.254.0:2112-2175
    0     0 SNAT       udp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 5 */ to:2.127.254.0:2112-2175
    0     0 SNAT       icmp --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 6 */ to:2.127.254.0:3136-3199
    0     0 SNAT       tcp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 7 */ to:2.127.254.0:3136-3199
    0     0 SNAT       udp  --  *      map-mapt0  0.0.0.0/0           
0.0.0.0/0            /* !fw3: ubus:mapt0[map] nat 8 */ to:2.127.254.0:3136-3199


For some additional context, when implementing RFC7597 or RFC7599, the
netfilter device may only have permission to use a subset of an IPv4 address'
65535 ports.
The ports that this particular device is allowed to use, may also be carved up
in to multiple non-contiguous blocks, as per the above example.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180215/26c69fd8/attachment.html>

More information about the netfilter-buglog mailing list