I have a system that we recently updated from CentOS to Suse. As part of that firewalld switched from iptables to nftables. Most everything works great and isn't presenting any problems, except redirect rules.
For firewalld we have a couple of simple rich rules:
rich rules:
rule family="ipv6" forward-port port="8080" protocol="tcp" to-port="443"
rule family="ipv4" forward-port port="8080" protocol="tcp" to-port="443"
These are correctly translating to nftables as:
chain nat_PRE_customer_allow { # handle 54
tcp dport 8080 redirect to :443 # handle 61
}
However, despite that rule looking correct the packets are still getting dropped. I added a meta trace rule in raw and get the following trace:
trace id ba82f3e9 inet firewalld raw_PREROUTING packet: iif "internalpub" ether saddr 00:01:e8:8b:47:dd ether daddr 18:66:da:b1:17:57 ip saddr 100.71.132.102 ip daddr 100.69.124.209 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 24586 ip protocol tcp ip length 60 tcp sport 54004 tcp dport 8080 tcp flags == syn tcp window 29200
trace id ba82f3e9 inet firewalld raw_PREROUTING rule tcp dport 8080 meta nftrace set 1 (verdict continue)
trace id ba82f3e9 inet firewalld raw_PREROUTING verdict continue
trace id ba82f3e9 inet firewalld raw_PREROUTING policy accept
trace id ba82f3e9 inet firewalld mangle_PREROUTING packet: iif "internalpub" ether saddr 00:01:e8:8b:47:dd ether daddr 18:66:da:b1:17:57 ip saddr 100.71.132.102 ip daddr 100.69.124.209 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 24586 ip protocol tcp ip length 60 tcp sport 54004 tcp dport 8080 tcp flags == syn tcp window 29200
trace id ba82f3e9 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id ba82f3e9 inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id ba82f3e9 inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id ba82f3e9 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id ba82f3e9 inet firewalld mangle_PREROUTING_ZONES rule iifname "internalpub" goto mangle_PRE_customer (verdict goto mangle_PRE_customer)
trace id ba82f3e9 inet firewalld mangle_PRE_customer rule jump mangle_PRE_customer_pre (verdict jump mangle_PRE_customer_pre)
trace id ba82f3e9 inet firewalld mangle_PRE_customer_pre verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_customer rule jump mangle_PRE_customer_log (verdict jump mangle_PRE_customer_log)
trace id ba82f3e9 inet firewalld mangle_PRE_customer_log verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_customer rule jump mangle_PRE_customer_deny (verdict jump mangle_PRE_customer_deny)
trace id ba82f3e9 inet firewalld mangle_PRE_customer_deny verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_customer rule jump mangle_PRE_customer_allow (verdict jump mangle_PRE_customer_allow)
trace id ba82f3e9 inet firewalld mangle_PRE_customer_allow verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_customer rule jump mangle_PRE_customer_post (verdict jump mangle_PRE_customer_post)
trace id ba82f3e9 inet firewalld mangle_PRE_customer_post verdict continue
trace id ba82f3e9 inet firewalld mangle_PRE_customer verdict continue
trace id ba82f3e9 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id ba82f3e9 inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id ba82f3e9 inet firewalld mangle_PREROUTING verdict continue
trace id ba82f3e9 inet firewalld mangle_PREROUTING policy accept
trace id ba82f3e9 ip firewalld nat_PREROUTING packet: iif "internalpub" ether saddr 00:01:e8:8b:47:dd ether daddr 18:66:da:b1:17:57 ip saddr 100.71.132.102 ip daddr 100.69.124.209 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 24586 ip length 60 tcp sport 54004 tcp dport 8080 tcp flags == syn tcp window 29200
trace id ba82f3e9 ip firewalld nat_PREROUTING rule jump nat_PREROUTING_POLICIES_pre (verdict jump nat_PREROUTING_POLICIES_pre)
trace id ba82f3e9 ip firewalld nat_PREROUTING_POLICIES_pre rule jump nat_PRE_policy_allow-host-ipv6 (verdict jump nat_PRE_policy_allow-host-ipv6)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 rule jump nat_PRE_policy_allow-host-ipv6_pre (verdict jump nat_PRE_policy_allow-host-ipv6_pre)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6_pre verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 rule jump nat_PRE_policy_allow-host-ipv6_log (verdict jump nat_PRE_policy_allow-host-ipv6_log)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6_log verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 rule jump nat_PRE_policy_allow-host-ipv6_deny (verdict jump nat_PRE_policy_allow-host-ipv6_deny)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6_deny verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 rule jump nat_PRE_policy_allow-host-ipv6_allow (verdict jump nat_PRE_policy_allow-host-ipv6_allow)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6_allow verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 rule jump nat_PRE_policy_allow-host-ipv6_post (verdict jump nat_PRE_policy_allow-host-ipv6_post)
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6_post verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_policy_allow-host-ipv6 verdict continue
trace id ba82f3e9 ip firewalld nat_PREROUTING_POLICIES_pre verdict continue
trace id ba82f3e9 ip firewalld nat_PREROUTING rule jump nat_PREROUTING_ZONES (verdict jump nat_PREROUTING_ZONES)
trace id ba82f3e9 ip firewalld nat_PREROUTING_ZONES rule iifname "internalpub" goto nat_PRE_customer (verdict goto nat_PRE_customer)
trace id ba82f3e9 ip firewalld nat_PRE_customer rule jump nat_PRE_customer_pre (verdict jump nat_PRE_customer_pre)
trace id ba82f3e9 ip firewalld nat_PRE_customer_pre verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_customer rule jump nat_PRE_customer_log (verdict jump nat_PRE_customer_log)
trace id ba82f3e9 ip firewalld nat_PRE_customer_log verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_customer rule jump nat_PRE_customer_deny (verdict jump nat_PRE_customer_deny)
trace id ba82f3e9 ip firewalld nat_PRE_customer_deny verdict continue
trace id ba82f3e9 ip firewalld nat_PRE_customer rule jump nat_PRE_customer_allow (verdict jump nat_PRE_customer_allow)
trace id ba82f3e9 ip firewalld nat_PRE_customer_allow rule tcp dport 8080 redirect to :443 (verdict drop)
It looks to me like the redirect rule itself is dropping the packet and I can't figure out why. What can I do to further debug this issue?
-Patrick Boyd
Internal Use - Confidential
