From mboxrd@z Thu Jan 1 00:00:00 1970 From: sorcus@inwebse.com Subject: Re: What wrong with snat in nftables? Date: Fri, 14 Jul 2017 01:06:17 +0000 Message-ID: <6687da5a7ee70c19e1c3b41fea5fb20f@inwebse.com> References: <691d19d7765158dc9d10dd62b5033536@inwebse.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inwebse.com ; s=mail; h=Message-ID:References:In-Reply-To:Cc:From:Date: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:To:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AAaMh9LzyJ2bs9aqZJ3Oz2xElxLli4UN/jEAEZZtbMI=; b=j9FbTQi2v4cU6IPkGS6tGbcLG+ QyTb0le4Kd+wotY0rh1q4M8lsdPh8nWf42F4DnANzf1St+/Xsepf9O7wPwEBO+ZpNDJaIt+0B9ALf gfNG2FjwlhH40KqDE1rfZpm+jdxo62GN1GrbgN/sXGRrKHGk11DAGBK7SEF1+bKa00y8=; In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Anton Danilov Cc: netfilter@vger.kernel.org Nftables rules for server - https://gist.github.com/MrSorcus/17827298ad81970cc272b9e7f779923f Nftables rules for client - https://gist.github.com/MrSorcus/ad05f19759e02f92aac5d9c246f56cf6 I used information from here - https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT) > 1. flush conntrack entries after changing of rules in the nat table. "conntrack -D" - show me "0 flow entries have been deleted.". But "/proc/net/nf_conntrack" has 3 entries... > 2. add counters to nftables nat rule to check that rule really hit the > packets. chain postrouting { type nat hook postrouting priority 0; policy drop; oif "enp0s3" nftrace set 1 counter packets 3 bytes 312 snat to 2a01:4f8:xx:xx::10 nftrace set 1 counter packets 0 bytes 0 accept comment "IPv6 < Nat < Postrouting" } With git version of nftables, libmnl & libnftnl and kernels 4.9, 4.11 & 4.12 doesn't work... With archlinux server doesn't work too... > On 2017-07-11 10:10, Anton Danilov wrote: >> Hello. >> I haven't seen the nftables rules. >> >> Seems like you have misconfiguration in the nftables rules. >> >> NAT action are being done in the conntrack subsystem, and *tables just >> apply the rule for first packets of NEW state connection and create >> special conntrack entries. Other packets of this known connection >> bypass the rules in the nat table. So it caused working after moving >> back from ip6tables to nftables, because it hasn't affected the >> conntrack entries. >> >> So, these are two recommends: >> >> 1. flush conntrack entries after changing of rules in the nat table. >> 2. add counters to nftables nat rule to check that rule really hit the >> packets.