Hi,
nftables v1.0.6 (Lester Gooch #5) on debian bookworm kernel 6.5 from
unstable. Simple test
#!/bin/sh
sudo nft flush ruleset
sudo nft add table ip6 nat
sudo nft add chain ip6 nat prerouting { type nat hook prerouting
priority 0 \; }
sudo nft add chain ip6 nat postrouting { type nat hook postrouting
priority 100 \; }
#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport {
58194-58197 } dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport {
58194-58197 } dnat to [fd99:d:e:f::1]:58198
sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport
58194 redirect to :58198 ; <= this one doesn't work
#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194
dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194
dnat to [fd99:d:e:f::1]:58198
in another terminal I run
nc -vl :: 58198
Listening on :: 58198
From another computer
nc -v 2001:db8::1 58194
nc: connect to 2001:db8::1 port 58194 (tcp) failed: Connection timed out
As you see I never get input on port 58198 with redirect, also tested by
activating forwarding like below but no luck
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Replacing the redirect rule with any on the 4 others rules above, I get
the right behavior
nc -vl :: 58198
Listening on :: 58198
Connection received on 2001:db8:a:b::c 54748
nc -v 2001:db8::1 58194
Connection to 2001:db8::1 58194 port [tcp/*] succeeded!
Does it mean that redirect is broken or abandonned or did I miss something ?
--
Daniel