Hi, On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote: > Hello, > > I setup prerouting rules with maps like > > chain prerouting { > type nat hook prerouting priority 0; policy accept; > iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp > if "ens3" ip6 saddr . udp dport vmap @blacklist_udp > dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp > dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp > ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp > ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp > ct status dnat accept > } > > Default behavior in ip6 filter forward table is to drop. This means that > my above rules are blocked, I see (u18srv being the machine who will > forward the traffic to another one): > > 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr > 0,nop,wscale 7], length 0 > > > 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr > 0,nop,wscale 7], length 0 > 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr > 0,nop,wscale 7], length 0 > > Now if I change my default value to accept for ip6 filter forward table, > all is good. > > Question: how can I add forward rule to filter table using the existing > maps which are defined in nat tables ? Other solution ? > > I thought that ct status dnat accept was the key to archieve my goal, > seems not :( > > Thanks for any hint Please be aware that 'accept' verdict will only stop the packet from traversing the current chain and any later chain may still drop the packet. Only 'drop' verdict is final in that sense. So regarding your problem, I guess you have to add the 'ct state' based accept rule to forward chain to prevent the drop policy to affect the packet. Your prerouting chain already has an accept policy, so explicit accepting shouldn't be needed. Cheers, Phil