nftables compatibility

nftables compatibility

[Jean-Philippe Menil]

Hi,

while playing with nftables, i observe that my iptables masquerading do not
work anymore:

modprobe nft_nat
modprobe nft_chain_nat_ipv4
nft add table nat
nft add chain nat postrouting { type nat hook postrouting priority 0 \; }

^^ iptables nat stoped work here.

I'm sure i read that nftables and iptables  where compatible.

Can anyone point me what am i missing ?

(I'm on 3.17.4)

Best regards.

Re: nftables compatibility

[Eric Leblond]

Hi,

On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
> Hi,
> 
> while playing with nftables, i observe that my iptables masquerading do not
> work anymore:
> 
> modprobe nft_nat
> modprobe nft_chain_nat_ipv4
> nft add table nat
> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> 
> ^^ iptables nat stoped work here.
> 
> I'm sure i read that nftables and iptables  where compatible.
> 
> Can anyone point me what am i missing ?
> 
> (I'm on 3.17.4)

Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
3.17.x.

BR,
-- 
Eric Leblond <eric@regit.org>

Re: nftables compatibility

[Jean-Philippe Menil]

Le 02/12/2014 23:15, Eric Leblond a écrit :
> Hi,
> 
> On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
>> Hi,
>>
>> while playing with nftables, i observe that my iptables masquerading do not
>> work anymore:
>>
>> modprobe nft_nat
>> modprobe nft_chain_nat_ipv4
>> nft add table nat
>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>>
>> ^^ iptables nat stoped work here.
>>
>> I'm sure i read that nftables and iptables  where compatible.
>>
>> Can anyone point me what am i missing ?
>>
>> (I'm on 3.17.4)
> 
> Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
> 3.17.x.
> 
> BR,
> 
Hi Eric,

thanks for your response.

I've see on the wiki that masquerading require a 3.18 kernel.

But why juste adding the type nat hook with nftables, broke the iptables
masquerading?

There's no problem at all, i will upgrade to 3.18 for my tests.

Best regards.

Re: nftables compatibility

[Pablo Neira Ayuso]

On Wed, Dec 03, 2014 at 08:30:52AM +0100, Jean-Philippe Menil wrote:
> Le 02/12/2014 23:15, Eric Leblond a écrit :
> > Hi,
> > 
> > On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
> >> Hi,
> >>
> >> while playing with nftables, i observe that my iptables masquerading do not
> >> work anymore:
> >>
> >> modprobe nft_nat
> >> modprobe nft_chain_nat_ipv4
> >> nft add table nat
> >> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }

BTW, you will also have to add the prerouting nat chain so the NAT
engine can undo NAT for reply traffic, see:

http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

> >> ^^ iptables nat stoped work here.
> >>
> >> I'm sure i read that nftables and iptables  where compatible.
> >>
> >> Can anyone point me what am i missing ?
> >>
> >> (I'm on 3.17.4)
> > 
> > Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
> > 3.17.x.
> > 
> > BR,
> > 
> Hi Eric,
> 
> thanks for your response.
> 
> I've see on the wiki that masquerading require a 3.18 kernel.
> 
> But why juste adding the type nat hook with nftables, broke the iptables
> masquerading?

Because the NAT engine attaches the nul-nat-binding (ie. this
conntrack has no nat at all) when the packet leaves the chain without
matching any rule.

If you run iptables and nf_tables for NAT at the same time, the first
chain will configure NAT for the conntrack, the second will just skip
the packet since NAT has been already set up.

> There's no problem at all, i will upgrade to 3.18 for my tests.

Thanks.

Re: nftables compatibility

[Jean-Philippe Menil]

Le 03/12/2014 12:00, Pablo Neira Ayuso a écrit :
> On Wed, Dec 03, 2014 at 08:30:52AM +0100, Jean-Philippe Menil wrote:
>> Le 02/12/2014 23:15, Eric Leblond a écrit :
>>> Hi,
>>>
>>> On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote:
>>>> Hi,
>>>>
>>>> while playing with nftables, i observe that my iptables masquerading do not
>>>> work anymore:
>>>>
>>>> modprobe nft_nat
>>>> modprobe nft_chain_nat_ipv4
>>>> nft add table nat
>>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> 
> BTW, you will also have to add the prerouting nat chain so the NAT
> engine can undo NAT for reply traffic, see:
> 
> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

Yes, i just forget to pas in the mail :)

> 
>>>> ^^ iptables nat stoped work here.
>>>>
>>>> I'm sure i read that nftables and iptables  where compatible.
>>>>
>>>> Can anyone point me what am i missing ?
>>>>
>>>> (I'm on 3.17.4)
>>>
>>> Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in
>>> 3.17.x.
>>>
>>> BR,
>>>
>> Hi Eric,
>>
>> thanks for your response.
>>
>> I've see on the wiki that masquerading require a 3.18 kernel.
>>
>> But why juste adding the type nat hook with nftables, broke the iptables
>> masquerading?
> 
> Because the NAT engine attaches the nul-nat-binding (ie. this
> conntrack has no nat at all) when the packet leaves the chain without
> matching any rule.
> 
> If you run iptables and nf_tables for NAT at the same time, the first
> chain will configure NAT for the conntrack, the second will just skip
> the packet since NAT has been already set up.

Ok, now i understand better.

Many thanks !