[Bug 1423] New: iptables-translate silently discards --ctstate DNAT
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Apr 18 21:11:24 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1423
Bug ID: 1423
Summary: iptables-translate silently discards --ctstate DNAT
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: iptables over nftable
Assignee: pablo at netfilter.org
Reporter: oldium.pro at gmail.com
Bug originally reported in the Debian tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932899
I am also affected by the bug. I found the Debian bug, but it looks like that
it was ignored, so I am forwarding it here.
Original message follows:
This appears to be wrong -- the DNAT is "eaten":
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct state counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
I think the output should be
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct status dnat counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
nft add rule ip filter INPUT ct status dnat counter accept
I am new to nftables, so I may have missed something obvious.
If so, sorry to bother you!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200418/35612ed1/attachment.html>
More information about the netfilter-buglog
mailing list