From: sorcus@inwebse.com
To: netfilter@vger.kernel.org
Subject: What wrong with snat in nftables?
Date: Mon, 10 Jul 2017 13:36:41 +0000 [thread overview]
Message-ID: <691d19d7765158dc9d10dd62b5033536@inwebse.com> (raw)
I have two virtual machines (server, client) with wireguard vpn.
When i try ping any IPv6 resource from client packets doesn't return to
client.
Tcpdump show me ICMP Reply packets in enp0s3 interface (server), not in
wg0 (vpn interface on server).
But if disable nftables and start ip6tables, all works.
After this step i disable ip6tables and enable nftables... All continue
works...
Software versions:
NixOS: 17.09.git.ebaff59 (Hummingbird)
WireGuard: 0.0.20170706
Nftables: 0.7
Build ISO images with next commands:
Server: nix-build -A config.system.build.isoImage -I
nixos-config=./wireguard_server_10.nix ./nixpkgs/nixos/default.nix
Client: nix-build -A config.system.build.isoImage -I
nixos-config=./wireguard_client_20.nix ./nixpkgs/nixos/default.nix
Here nix files -
https://gist.github.com/MrSorcus/d6d8b8b6acff715368844a643775c980
Create virtual machines with next commands:
Server: virt-install \
--name NixOSVS10 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_10.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5910,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Client: virt-install \
--name NixOSVS20 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_20.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5920,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Output for ip a, ip -6 route, route -6, wg, sysctl -a, dmesg, lsmod.
Server:
https://gist.github.com/MrSorcus/1a8c9f5aacf8957502299d707a38c5fc
Client:
https://gist.github.com/MrSorcus/b7dc077249ca513ca8f307a68c62d1ce
Tcpdump logs from client. Ping IPv6 address 2001:19f0:7400:87a2::64
(https://ipv6.net/)
https://gist.github.com/MrSorcus/03e716fba67c4119772012777847c569
Output from /proc/net/nf_conntrack:
With nftables -
https://gist.github.com/MrSorcus/601170680ff644c52a11e5352997879a
With ip6tables -
https://gist.github.com/MrSorcus/e043101f98e787c8cbf6d0605fd9de7e
Snat doesn't work correctly in nftables. But work after next steps:
[root@nixos:~]# systemctl stop nftables
[root@nixos:~]# ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT
--to-source 2a01:4f8:xx:xx::10
next reply other threads:[~2017-07-10 13:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-10 13:36 sorcus [this message]
2017-07-11 10:10 ` What wrong with snat in nftables? Anton Danilov
[not found] ` <e55eeed4d10d0209dc4441a83b1bc922@inwebse.com>
2017-07-14 1:06 ` sorcus
2017-07-15 22:47 ` sorcus
2017-07-17 21:24 ` sorcus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=691d19d7765158dc9d10dd62b5033536@inwebse.com \
--to=sorcus@inwebse.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox