Problems understanding nftables part 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

I have asked already some questions about nftables.  While diving deeper into it, there
are arising more questions.


In my last test I have hooked rules into the 5 inet hook filter destinations
( prerouting, input, output,postrouting, forward), to watch how packets are flowing to
my rules. Now I extended that, to see packets also flowing through nat destinations,
but I have seen no packets.

1)  It looks like, that it needs at least one configured nat-rule, which gets triggered
    to see packets flowing through the kernel. It looks like, that without such an initial
    trigger, trace is either
    a) not showing packets
    b) packet flow through nat is enabled only, after a first nat rule matched
       When I have a matching rule like in example 1, I see packets not only in prerouting,
       but also in input, output and postrouting, even when the chain contains no nat
       specific rule. But: For tcp this seems to be valid only for packets with SYN-Flag set,
       others are not showing up.
    c) As soon, as I had such a trigger-packet I see however all udp-traffic from the system,
       I have not seen, before the tcp rule triggered.
    So I have the question, if there are other options to get trace through nat-hooks enabled
    without having an initial trigger?
    Unfortunately the "dnat" option, does not allow to add a "meta nftrace set 1" behind this
    specific line, so i must trace in a more general way.
2) Prerouting, postrouting and route allow for for symbolic priorities, that seems to be broken
   for
   a) input  and
   b) output
   where I need to know the corresponding value. What is the reason behind this inconsistent
   behaviour?

I would be glad, receiving answers and/or tips for further actions, I could try?

Here my tracing configuration:

>table ip nat {
>        chain prerouting_nat{
>                type nat hook prerouting priority dstnat ; policy accept;
>## 1)
>                ip saddr AA.BB.CC.DD tcp dport 443 dnat ip to BB.CC.DD.EE
>                meta nftrace set 1
>        }
>
>        chain postrouting_nat {
>                type nat hook postrouting priority srcnat ; policy accept;
>                meta nftrace set 1
>        }
>
>        chain input_nat {
>## 2a)
># broken:       type nat hook input priority srcnat ; policy accept;
>                type nat hook input priority  100 ; policy accept;
>                meta nftrace set 1
>        }
>
>        chain output_nat {
>## 2b)
># broken:       type nat hook output priority dstnat ; policy accept;
>                type nat hook output priority -100; policy accept;
>                meta nftrace set 1
>        }
>
>        chain output_route{
>                type nat hook output priority mangle ; policy accept;
>                meta nftrace set 1
>        }
>}



Regards

  Wolfgang
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux