[Bug 1255] New: nftables SNAT is not working

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu May 3 16:09:16 CEST 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

            Bug ID: 1255
           Summary: nftables SNAT is not working
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: belkin_a at hotmail.com

Set-up:

 1. Linux (tried on LEDE at arm, OpenWrt at arm, Ubuntu16 at x86)
 2. iptables disabled (kernel modules unloaded)
 3. nftables (tried v. 0.8, 0.8.2)
 4. chains and NAT are created according to official nftables wiki
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT):

% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

By this set-up, dnat functions as expected, e.g.:

% nft add rule nat prerouting tcp dport 15000 dnat 192.168.0.50:20000

redirects all incoming TCP packets from port 15000 to 192.168.0.50:20000 and
back.


However, no snat rule is processed (neither rule of):

% nft add rule nat postrouting counter ip saddr 192.168.0.50 snat 1.2.3.4
% nft add rule nat postrouting counter tcp sport 20000 snat 1.2.3.4:1234
% nft add rule nat postrouting counter ip protocol tcp drop

I've tried these rules separately or in variations (oif, ip+tcp, ...) - the
packets are still going through unchanged (proved by WireShark) or not dropped.
Though:

 1. The postrouting chain is processed, since if I remove postrouting chain,
dnat (by prerouting) stops to work (as expected).
 2. Adding a drop rule to input or output chains works.

Any ideas here?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180503/f9790308/attachment.html>

More information about the netfilter-buglog mailing list