Le 03/12/2014 12:00, Pablo Neira Ayuso a écrit :
> On Wed, Dec 03, 2014 at 08:30:52AM +0100, Jean-Philippe Menil wrote:
>> Le 02/12/2014 23:15, Eric Leblond a écrit :
>>> Hi,
>>>
>>> On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
>>>> Hi,
>>>>
>>>> while playing with nftables, i observe that my iptables masquerading do not
>>>> work anymore:
>>>>
>>>> modprobe nft_nat
>>>> modprobe nft_chain_nat_ipv4
>>>> nft add table nat
>>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>
> BTW, you will also have to add the prerouting nat chain so the NAT
> engine can undo NAT for reply traffic, see:
>
> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
Yes, i just forget to pas in the mail :)
>
>>>> ^^ iptables nat stoped work here.
>>>>
>>>> I'm sure i read that nftables and iptables where compatible.
>>>>
>>>> Can anyone point me what am i missing ?
>>>>
>>>> (I'm on 3.17.4)
>>>
>>> Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
>>> 3.17.x.
>>>
>>> BR,
>>>
>> Hi Eric,
>>
>> thanks for your response.
>>
>> I've see on the wiki that masquerading require a 3.18 kernel.
>>
>> But why juste adding the type nat hook with nftables, broke the iptables
>> masquerading?
>
> Because the NAT engine attaches the nul-nat-binding (ie. this
> conntrack has no nat at all) when the packet leaves the chain without
> matching any rule.
>
> If you run iptables and nf_tables for NAT at the same time, the first
> chain will configure NAT for the conntrack, the second will just skip
> the packet since NAT has been already set up.
Ok, now i understand better.
Many thanks !
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
