Nftables rules for server -
https://gist.github.com/MrSorcus/17827298ad81970cc272b9e7f779923f
Nftables rules for client -
https://gist.github.com/MrSorcus/ad05f19759e02f92aac5d9c246f56cf6
I used information from here -
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
1. flush conntrack entries after changing of rules in the nat table.
"conntrack -D" - show me "0 flow entries have been deleted.". But
"/proc/net/nf_conntrack" has 3 entries...
2. add counters to nftables nat rule to check that rule really hit the
packets.
chain postrouting {
type nat hook postrouting priority 0; policy drop;
oif "enp0s3" nftrace set 1 counter packets 3 bytes 312 snat to
2a01:4f8:xx:xx::10
nftrace set 1 counter packets 0 bytes 0 accept comment "IPv6 < Nat <
Postrouting"
}
With git version of nftables, libmnl & libnftnl and kernels 4.9, 4.11 &
4.12 doesn't work...
With archlinux server doesn't work too...
On 2017-07-11 10:10, Anton Danilov wrote:
Hello.
I haven't seen the nftables rules.
Seems like you have misconfiguration in the nftables rules.
NAT action are being done in the conntrack subsystem, and *tables just
apply the rule for first packets of NEW state connection and create
special conntrack entries. Other packets of this known connection
bypass the rules in the nat table. So it caused working after moving
back from ip6tables to nftables, because it hasn't affected the
conntrack entries.
So, these are two recommends:
1. flush conntrack entries after changing of rules in the nat table.
2. add counters to nftables nat rule to check that rule really hit the
packets.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
