[Bug 1748] New: nft masquerade commands make table nat unreadable by iptables-nft
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Apr 18 11:14:12 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1748
Bug ID: 1748
Summary: nft masquerade commands make table nat unreadable by
iptables-nft
Product: iptables
Version: git (please indicate commit ID)
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: ts at ferncast.de
Hi,
If I inject a masquerade rule into the nat table by nft I cannot read the
table with iptables-nft (git hash 8bf2bab8eb2e4f5ae2fef859ea7c877662854101 and
also older versions like 1.8.9) anymore till I delete this single rule with nft
tool.
E.g. if I put the below configuration into file postrouting.nft and inject it
via `nft -f postrouting.nft`:
table ip nat {
chain POSTROUTING {
oifname != "br-mailcow" ip saddr 172.22.1.0/24 masquerade
}
}
`iptables -t nat -L` than tells me `iptables v1.8.10 (nf_tables): table `nat'
is incompatible, use 'nft' tool.` If I inject the same rule with iptables-nft,
everything is working fine. I was able to fix this behavior by this patch to
iptables, but I am pretty sure that this is not the right way to do it:
diff --git a/iptables/nft.c b/iptables/nft.c
index 884cc77e..a7086014 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3931,6 +3931,7 @@ static const char *supported_exprs[] = {
"immediate",
"lookup",
"range",
+ "masq",
};
In my further debugging I found that the rule injected by iptables seems to
have "target" as expression instead of "masq", but this only as a hint for
someone who really knows the code. ;-)
Yesterday morning this "bug" caused a severe problem as libvirt was not able to
read the nat table anymore because I used some nft commands before to insert
some masquerading rules. This also may affect others who update their libvirt
in, e.g., Ubuntu, and have inserted masquerading rules in the nat table via
`nft`.
Best regards,
Thomas
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/3972b950/attachment.html>
More information about the netfilter-buglog
mailing list