[PATCH iptables] ip6tables: masquerade: use fully-random so that nft can understand the rule

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH iptables] ip6tables: masquerade: use fully-random so that nft can understand the rule
@ 2021-08-04 15:50 Pavel Tikhomirov
  2021-08-04 15:57 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Pavel Tikhomirov @ 2021-08-04 15:50 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Pablo Neira Ayuso, Florian Westphal, Shivani Bhardwaj,
	Max Laverse, Pavel Tikhomirov, kernel

Here is the problem:

[]# nft -v
nftables v0.9.8 (E.D.S.)
[]# iptables-nft -v
iptables v1.8.7 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
[]# nft flush ruleset
[]# ip6tables-nft -t nat -A POSTROUTING  -j MASQUERADE --random-full
[]# nft list ruleset
table ip6 nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 0 bytes 0 masquerade  random-fully
	}
}
[]# nft list ruleset > /tmp/ruleset
[]# nft flush ruleset
[]# nft -f /tmp/ruleset
/tmp/ruleset:4:54-54: Error: syntax error, unexpected newline
		counter packets 0 bytes 0 masquerade  random-fully

That's because nft list ruleset saves "random-fully" which is wrong
format for nft -f, right should be "fully-random".

We face this problem because we run k8s in Virtuozzo container, and k8s
creates those "random-fully" rules by iptables(nft) and then CRIU can't
restore those rules using nft.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 extensions/libip6t_MASQUERADE.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
index f92760fa..f28f071b 100644
--- a/extensions/libip6t_MASQUERADE.c
+++ b/extensions/libip6t_MASQUERADE.c
@@ -163,7 +163,7 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
 
 	xt_xlate_add(xl, " ");
 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
-		xt_xlate_add(xl, "random-fully ");
+		xt_xlate_add(xl, "fully-random ");
 
 	return 1;
 }
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH iptables] ip6tables: masquerade: use fully-random so that nft can understand the rule
  2021-08-04 15:50 [PATCH iptables] ip6tables: masquerade: use fully-random so that nft can understand the rule Pavel Tikhomirov
@ 2021-08-04 15:57 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2021-08-04 15:57 UTC (permalink / raw)
  To: Pavel Tikhomirov
  Cc: netfilter-devel, Pablo Neira Ayuso, Florian Westphal,
	Shivani Bhardwaj, Max Laverse, kernel

Pavel Tikhomirov <ptikhomirov@virtuozzo.com> wrote:
> That's because nft list ruleset saves "random-fully" which is wrong
> format for nft -f, right should be "fully-random".

Right.  Patch is applied, thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-08-04 15:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-04 15:50 [PATCH iptables] ip6tables: masquerade: use fully-random so that nft can understand the rule Pavel Tikhomirov
2021-08-04 15:57 ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).