From: Tech <tech@tootai.net>
To: Netfilter list <netfilter@vger.kernel.org>
Subject: Redirect doesn't do the job as dnat does
Date: Sun, 5 Nov 2023 15:58:30 +0100 [thread overview]
Message-ID: <71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net> (raw)
Hi,
nftables v1.0.6 (Lester Gooch #5) on debian bookworm kernel 6.5 from
unstable. Simple test
#!/bin/sh
sudo nft flush ruleset
sudo nft add table ip6 nat
sudo nft add chain ip6 nat prerouting { type nat hook prerouting
priority 0 \; }
sudo nft add chain ip6 nat postrouting { type nat hook postrouting
priority 100 \; }
#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport {
58194-58197 } dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport {
58194-58197 } dnat to [fd99:d:e:f::1]:58198
sudo nft add rule ip6 nat prerouting ip6 daddr 2001:db8::1 tcp dport
58194 redirect to :58198 ; <= this one doesn't work
#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194
dnat to :58198
#sudo nft add rule ip6 nat prerouting ip6 daddr ::/0 tcp dport 58194
dnat to [fd99:d:e:f::1]:58198
in another terminal I run
nc -vl :: 58198
Listening on :: 58198
From another computer
nc -v 2001:db8::1 58194
nc: connect to 2001:db8::1 port 58194 (tcp) failed: Connection timed out
As you see I never get input on port 58198 with redirect, also tested by
activating forwarding like below but no luck
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Replacing the redirect rule with any on the 4 others rules above, I get
the right behavior
nc -vl :: 58198
Listening on :: 58198
Connection received on 2001:db8:a:b::c 54748
nc -v 2001:db8::1 58194
Connection to 2001:db8::1 58194 port [tcp/*] succeeded!
Does it mean that redirect is broken or abandonned or did I miss something ?
--
Daniel
next reply other threads:[~2023-11-05 14:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-05 14:58 Tech [this message]
2023-11-05 15:27 ` Redirect doesn't do the job as dnat does Florian Westphal
2023-11-05 15:55 ` Tech
[not found] ` <a7f19ab3-5fc8-4816-a403-9ae2a4b51358@tootai.net>
2023-11-08 9:33 ` Florian Westphal
2023-11-08 9:47 ` Tech
2023-11-08 10:18 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net \
--to=tech@tootai.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).