Hello all,
OS Distribution: Ubuntu Xenial
Kernal: 4.13.0-38-generic
nftables version: nftables v0.8.3 (Joe Btfsplk)
I have a unique network setup where natting ipv6 is required. I repeat
translation is necessary (at the moment)! I don't want to get into
debate.
First, iptables rules were successfully migrated to nftables (ipv4).
table ip test {
map dns_nat {
type ipv4_addr . ipv4_addr . inet_service : ipv4_addr
}
map test_outgoing {
type ipv4_addr : ipv4_addr
}
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop
ct state established,related accept
iif "lo" accept
icmp type echo-request accept
ct state new iif "eth0" ip saddr x.x.x.x/16 tcp dport ssh accept
}
chain output {
type filter hook output priority 0; policy accept;
}
chain prerouting {
type nat hook prerouting priority 0; policy accept;
dnat to ip saddr . ip daddr . udp dport map @dest_nat
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif "eth0" snat to ip saddr map @test_outgoing
}
}
Then to ip6tables - the basic setup work for outbound nat and the
redirect. Ignore the ipv6 IP addresses. It's just a working example.
# Generated by ip6tables-save v1.6.0 on Mon Apr 23
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s fdcc:6547:f3b:f967::1/128 -d 2620:0:ccc::2/128 -i
eth1 -p tcp -m tcp --dport 53 -j DNAT --to-destination
2001:4860:4860::8844:53
-A PREROUTING -s fdcc:6547:f3b:f967::1/128 -d 2620:0:ccc::2/128 -i
eth1 -p udp -m udp --dport 53 -j DNAT --to-destination
2001:4860:4860::8844:53
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
Now to nftables. Here's the template that works fine for a one to one
outbound NAT.
table ip6 test {
map dest_nat {
type ipv6_addr . ipv6_addr . inet_service : ipv6_addr
}
map source_nat {
type ipv6_addr : ipv6_addr
elements = { fdcc:6547:f3b:f967::1 : 2607:f8b0:4007:80c::200e}
}
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif eth2 snat ip6 saddr map @source_nat
}
}
The missing component is the redirect. Now, I want to complete the
prerouting chain with a map. I expected the below command to work as
it does with ipv4 family in nftables. And, ip6tables supports this
type of redirect.
nft add rule ip6 test prerouting dnat ip6 saddr . ip6 daddr . udp
dport map @dest_nat
The error from executing the above command
nft: netlink_linearize.c:609: netlink_gen_expr: Assertion `dreg <
ctx->reg_low' failed.
Aborted (core dumped)
This does work in nftables using the ip family. Ex. "add rule test
prerouting dnat ip saddr . ip daddr . udp dport map @dest_nat"
What am I missing? Can I provide more technical information?
Thanks in advance.
adsquaired
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
