Redirect doesn't do the job as dnat does

Redirect doesn't do the job as dnat does

[Tech]

Hi,

nftables v1.0.6 (Lester Gooch #5) on debian bookworm kernel 6.5 from 
unstable. Simple test

#!/bin/sh

sudo nft flush ruleset
sudo nft add table ip6 nat
sudo nft add chain ip6 nat prerouting { type nat hook prerouting 
priority 0 \; }
sudo nft add chain ip6 nat postrouting { type nat hook postrouting 
priority 100 \; }

#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport { 
58194-58197 } dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport { 
58194-58197 } dnat to [fd99:d:e:f::1]:58198

sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport 
58194 redirect to :58198 ; <= this one doesn't work

#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194 
dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194 
dnat to [fd99:d:e:f::1]:58198

in another terminal I run
nc -vl :: 58198
Listening on :: 58198

 From another computer
nc -v 2001:db8::1 58194
nc: connect to 2001:db8::1 port 58194 (tcp) failed: Connection timed out

As you see I never get input on port 58198 with redirect, also tested by 
activating forwarding like below but no luck
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Replacing the redirect rule with any on the 4 others rules above, I get 
the right behavior

nc -vl :: 58198
Listening on :: 58198
Connection received on 2001:db8:a:b::c 54748

nc -v 2001:db8::1 58194
Connection to 2001:db8::1 58194 port [tcp/*] succeeded!

Does it mean that redirect is broken or abandonned or did I miss something ?

-- 
Daniel

Re: Redirect doesn't do the job as dnat does

[Florian Westphal]

Tech <tech@tootai.net> wrote:
> in another terminal I run
> nc -vl :: 58198
> Listening on :: 58198

Please also spawn tcdump -n "tcp port 58198 or tcp port 58194"

Re: Redirect doesn't do the job as dnat does

[Tech]

Le 05/11/2023 à 16:27, Florian Westphal a écrit :

> Tech<tech@tootai.net>  wrote:
>> in another terminal I run
>> nc -vl :: 58198
>> Listening on :: 58198
> Please also spawn tcdump -n "tcp port 58198 or tcp port 58194"
Sended per PM

-- 
Daniel

Re: Redirect doesn't do the job as dnat does

[Florian Westphal]

Tech <tech@tootai.net> wrote:
> Le 05/11/2023 à 16:27, Florian Westphal a écrit :
> 
> > Tech<tech@tootai.net>  wrote:
> > > in another terminal I run
> > > nc -vl :: 58198
> > > Listening on :: 58198
> > Please also spawn tcdump -n "tcp port 58198 or tcp port 58194"
> Sended per PM

The dump was very boring, shows SYNs without any replies.

redirect is the same as dnat, except that redirect just takes
the first address that it finds on the given interface.

So I'd guess that it picks an unusable one, e.g. link-local.

Can you post 'ip -6 addr show dev $dev" ?

Re: Redirect doesn't do the job as dnat does

[Tech]

Le 08/11/2023 à 10:33, Florian Westphal a écrit :
> Tech <tech@tootai.net> wrote:
>> Le 05/11/2023 à 16:27, Florian Westphal a écrit :
>>> Tech<tech@tootai.net> wrote:
>>>> in another terminal I run nc -vl :: 58198 Listening on :: 58198 
>>> Please also spawn tcdump -n "tcp port 58198 or tcp port 58194" 
>> Sended per PM 
> The dump was very boring, shows SYNs without any replies. redirect is 
> the same as dnat, except that redirect just takes the first address 
> that it finds on the given interface. So I'd guess that it picks an 
> unusable one, e.g. link-local. Can you post 'ip -6 addr show dev $dev" ?
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state 
UP group default qlen 1000
     altname enp0s3
     altname ens3
     inet6 ::ffff:100.64.229.29/96 scope global
        valid_lft forever preferred_lft forever
     inet6 2a01:4f8:c0c:9e5b::1/64 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::9400:2ff:fe39:962c/64 scope link
        valid_lft forever preferred_lft forever

-- 

Daniel Huhardeaux +33.368460088@tootai.net sip:820@sip.tootai.net 
+41.445532125@swiss-itech.ch tootaiNET

Re: Redirect doesn't do the job as dnat does

[Florian Westphal]

Tech <tech@tootai.net> wrote:
> > The dump was very boring, shows SYNs without any replies. redirect is
> > the same as dnat, except that redirect just takes the first address that
> > it finds on the given interface. So I'd guess that it picks an unusable
> > one, e.g. link-local. Can you post 'ip -6 addr show dev $dev" ?
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
> group default qlen 1000
>     altname enp0s3
>     altname ens3
>     inet6 ::ffff:100.64.229.29/96 scope global
>        valid_lft forever preferred_lft forever
>     inet6 2a01:4f8:c0c:9e5b::1/64 scope global
>        valid_lft forever preferred_lft forever

Thanks.  Its probably pulling he mapped address
from the list.

I think we'll need to try harder.  Can you test a patch?