nftables NAT stops working (trace included)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

Has anyone witnessed this?  I have Nftables setup with prerouting,
postrouting and forwading rules that work well. Until it doesn't.
As you can see from the trace below the postrouting rule is not
natting the packet.  ip saddr 192.168.254.1 out eth1 should be an
Internet routable address.
Stopping and starting nftables (flushing rules) does not help. I then
reboot the server and everything starts working again.

Something else to note. After things are working again I setup nftace
again expecting to see the correctly translated address on eth1.
Packets again don't flow through. When I remove the trace statements
(handles) packets flow again. I do not know if this is the expected
behavior or not. Someone please shine some light on the subject for
me. Thank you.

Trace (Bad News):
trace id 18162e6e ip myfw prerouting packet: iif "eth2" ether saddr
00:50:56:92:97:8d ether daddr 00:50:56:92:78:6e ip saddr 192.168.254.1
ip daddr 64.233.177.106 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id
16037 ip length 60 tcp sport 43775 tcp dport 80 tcp flags syn tcp
window 29200
trace id 18162e6e ip myfw prerouting rule tcp dport 80 counter packets
12 bytes 720 nftrace set 1 accept (verdict accept)
trace id 18162e6e ip myfw forward packet: iif "eth2" oif "eth1" ether
saddr 00:50:56:92:97:8d ether daddr 00:50:56:92:78:6e ip saddr
192.168.254.1 ip daddr 64.233.177.106 ip dscp cs0 ip ecn not-ect ip
ttl 63 ip id 16037 ip length 60 tcp sport 43775 tcp dport 80 tcp flags
syn tcp window 29200
trace id 18162e6e ip myfw forward rule iif "eth2" ip saddr vmap
@outbound (verdict accept)
trace id 18162e6e ip myfw postrouting packet: oif "eth1" @ll,0,112
6365045784477331379336991475712 ip saddr 192.168.254.1 ip daddr
64.233.177.106 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 16037 ip
length 60 tcp sport 43775 tcp dport 80 tcp flags syn tcp window 29200
trace id 18162e6e ip myfw postrouting rule tcp dport 80 counter
packets 1 bytes 60 nftrace set 1 accept (verdict accept)

Version Info:
ii  libnftables0                          0.8.5-1
            amd64        Netfilter nftables high level userspace API
library
ii  libnftnl7:amd64                       1.1.0-1
            amd64        Netfilter nftables userspace API library
ii  nftables                              0.8.5-1
            amd64        Program to control packet filtering rules by
Netfilter project

Operating System Info:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"

Kernel Info:
4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux