[Bug 1255] nftables SNAT is not working

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Oct 7 07:19:15 CEST 2019 

https://bugzilla.netfilter.org/show_bug.cgi?id=1255

Thomas <tad1073 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tad1073 at gmail.com

--- Comment #3 from Thomas <tad1073 at gmail.com> ---
(In reply to Andrey Belkin from comment #0)
> Set-up:
> 
>  1. Linux (tried on LEDE at arm, OpenWrt at arm, Ubuntu16 at x86)
>  2. iptables disabled (kernel modules unloaded)
>  3. nftables (tried v. 0.8, 0.8.2)
>  4. chains and NAT are created according to official nftables wiki
> https://wiki.nftables.org/wiki-nftables/index.php/
> Performing_Network_Address_Translation_(NAT):
> 
> % nft add table nat
> % nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> % nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
> 
> By this set-up, dnat functions as expected, e.g.:
> 
> % nft add rule nat prerouting tcp dport 15000 dnat 192.168.0.50:20000
> 
> redirects all incoming TCP packets from port 15000 to 192.168.0.50:20000 and
> back.
> 
> 
> However, no snat rule is processed (neither rule of):
> 
> % nft add rule nat postrouting counter ip saddr 192.168.0.50 snat 1.2.3.4
> % nft add rule nat postrouting counter tcp sport 20000 snat 1.2.3.4:1234
> % nft add rule nat postrouting counter ip protocol tcp drop
> 
> I've tried these rules separately or in variations (oif, ip+tcp, ...) - the
> packets are still going through unchanged (proved by WireShark) or not
> dropped. Though:
> 
>  1. The postrouting chain is processed, since if I remove postrouting chain,
> dnat (by prerouting) stops to work (as expected).
>  2. Adding a drop rule to input or output chains works.
> 
> Any ideas here?

If you're copy and pasting that might be the problem.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/51caf584/attachment.html>

More information about the netfilter-buglog mailing list