On Wed, Dec 03, 2014 at 08:30:52AM +0100, Jean-Philippe Menil wrote:
> Le 02/12/2014 23:15, Eric Leblond a écrit :
> > Hi,
> >
> > On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
> >> Hi,
> >>
> >> while playing with nftables, i observe that my iptables masquerading do not
> >> work anymore:
> >>
> >> modprobe nft_nat
> >> modprobe nft_chain_nat_ipv4
> >> nft add table nat
> >> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
BTW, you will also have to add the prerouting nat chain so the NAT
engine can undo NAT for reply traffic, see:
http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> >> ^^ iptables nat stoped work here.
> >>
> >> I'm sure i read that nftables and iptables where compatible.
> >>
> >> Can anyone point me what am i missing ?
> >>
> >> (I'm on 3.17.4)
> >
> > Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
> > 3.17.x.
> >
> > BR,
> >
> Hi Eric,
>
> thanks for your response.
>
> I've see on the wiki that masquerading require a 3.18 kernel.
>
> But why juste adding the type nat hook with nftables, broke the iptables
> masquerading?
Because the NAT engine attaches the nul-nat-binding (ie. this
conntrack has no nat at all) when the packet leaves the chain without
matching any rule.
If you run iptables and nf_tables for NAT at the same time, the first
chain will configure NAT for the conntrack, the second will just skip
the packet since NAT has been already set up.
> There's no problem at all, i will upgrade to 3.18 for my tests.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
