Re: Bug report DNAT destination not work

Re: Bug report DNAT destination not work

[Florian Westphal]

Martin Zaharinov <micron10@gmail.com> wrote:
> iptables -t nat -A PREROUTING -d 100.91.1.238/32 -i bond0 -p tcp --dport
> 7878 -j DNAT --to-destination 10.240.241.99:7878
> iptables v1.8.9 (legacy): unknown option "--to-destination"
> Try `iptables -h' or 'iptables --help' for more information.

Looks like a problem with your iptables installation which can't find
libxt_DNAT.so?  In v1.8.9 this should be a symlink to libxt_NAT.so.

If you run 'iptables -j DNAT --help' and it doesn't say

"DNAT target options:" at the end then it very much looks like a
problem with your iptables installation and not the kernel.

> try with kernel 6.1.11 6.1.12 6.1.13

Tested iptables-nft and iptables-legacy on 1.8.9 with kernel 6.1.14, no problems.

There were no significant kernel changes in this area that I know of in
6.1 either.

Re: Bug report DNAT destination not work

[Martin Zaharinov]

Hi Team
Little update

iptables 1.8.8 work 
after rebuild and install 1.8.9 
 iptables -t nat -A PREROUTING -d 100.91.1.238/32 -i bond0 -p tcp --dport 7878 -j DNAT --to-destination 78.142.32.70:7878

stop work with this error.

m.

> On 1 Mar 2023, at 17:05, Martin Zaharinov <micron10@gmail.com> wrote:
> 
> Hi team
> 
> i see one bug after kernel 6.1
> 
> 
> iptables -t nat -A PREROUTING -d 100.91.1.238/32 -i bond0 -p tcp --dport 7878 -j DNAT --to-destination 10.240.241.99:7878
> iptables v1.8.9 (legacy): unknown option "--to-destination"
> Try `iptables -h' or 'iptables --help' for more information.
> 
> try with kernel 6.1.11 6.1.12 6.1.13
> and 6.2.1
> 
> Best regards,
> Martin
> 

Re: Bug report DNAT destination not work

[Martin Zaharinov]

Hi Florian


i recheck and libxt_DNAT.so is symlink to libxt_NAT.so


and i try : 

iptables v1.8.9 (nf_tables)

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain		Append to chain
  --check   -C chain		Check for the existence of a rule
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
				List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
				Print the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
				Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
  --delete-chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
				Change chain name, (moving any references)

Options:
    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)
    --ipv6	-6		Error (line is ignored by iptables-restore)
[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'
[!] --source	-s address[/mask][...]
				source specification
[!] --destination -d address[/mask][...]
				destination specification
[!] --in-interface -i input name[+]
				network interface name ([+] for wildcard)
 --jump	-j target
				target for rule (may load target extension)
  --goto      -g chain
			       jump to chain with no return
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
[!] --out-interface -o output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter')
  --verbose	-v		verbose mode
  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters -c PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.




and show help .

same here i test with both : iptables-nft and iptables-legacy


restore to version 1.8.8 and all is fine.

 i will try to rebuild and recheck if same is happen will update you.


m.

> On 2 Mar 2023, at 12:43, Florian Westphal <fw@strlen.de> wrote:
> 
> Martin Zaharinov <micron10@gmail.com> wrote:
>> iptables -t nat -A PREROUTING -d 100.91.1.238/32 -i bond0 -p tcp --dport
>> 7878 -j DNAT --to-destination 10.240.241.99:7878
>> iptables v1.8.9 (legacy): unknown option "--to-destination"
>> Try `iptables -h' or 'iptables --help' for more information.
> 
> Looks like a problem with your iptables installation which can't find
> libxt_DNAT.so?  In v1.8.9 this should be a symlink to libxt_NAT.so.
> 
> If you run 'iptables -j DNAT --help' and it doesn't say
> 
> "DNAT target options:" at the end then it very much looks like a
> problem with your iptables installation and not the kernel.
> 
>> try with kernel 6.1.11 6.1.12 6.1.13
> 
> Tested iptables-nft and iptables-legacy on 1.8.9 with kernel 6.1.14, no problems.
> 
> There were no significant kernel changes in this area that I know of in
> 6.1 either.

Re: Bug report DNAT destination not work

[Florian Westphal]

Martin Zaharinov <micron10@gmail.com> wrote:
> Hi Florian
> 
> 
> i recheck and libxt_DNAT.so is symlink to libxt_NAT.so
> 
> and i try : 
> 
> iptables v1.8.9 (nf_tables)

What did you try?

>   --modprobe=<command>		try to insert modules using this command
>   --set-counters -c PKTS BYTES	set the counter during insert/append
> [!] --version	-V		print package version.
> 
> 
> and show help .

No idea what you did or what you are trying to show.
IFF you ran "iptables -j DNAT --help", then libxt_DNAT is not
found resp. iptables is looking at the wrong place.

$ iptables-legacy -V
iptables v1.8.9 (legacy)
$ iptables -j DNAT --help
[..]
DNAT target options:
 --to-destination [<ipaddr>[-<ipaddr>]][:port[-port[/port]]]
                  Address to map destination to.
[--random] [--persistent]
$

I can only guess what the problem might be.

Maybe 'strace -f -e file iptables -j DNAT --help' will give a clue,
there should be lines like this:

newfstatat(AT_FDCWD, "/usr/lib64/xtables/libipt_DNAT.so", 0x7ffe94e3f180, 0) = -1 ENOENT
newfstatat(AT_FDCWD, "/usr/lib64/xtables/libxt_DNAT.so", {st_mode=S ... = 0
openat(AT_FDCWD, "/usr/lib64/xtables/libxt_DNAT.so", O_RDONLY|O_CLOEXEC) = 4