Re: iptables-legacy + iptables-nft = iptables-broken ?

Rafael David Tinoco Wed, 27 Jan 2021 13:53:09 -0800

OK.. I think I found the issue...  sorry for the noise.

TL/DR version:


all the iptables targets working in compatibility mode (-j NFLOG, -j TRACE, 
etc) might face issues and not work correctly when using nf-tables by default 
(nft_compat -> x_tables over nftables).

Explanation:

If I execute my tool with "iptables-legacy" and have a iptables-legacy rules 
only firewall.. it works perfectly.... Now, if I have a iptables-nft rules only 
firewall and run my tool with "iptables-nft".. it does not work:

 TCPv4 [           1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 
(port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: rule, 
position: 4
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: rule, 
position: 4
 TCPv6 [           0] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = 
fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: rule, 
position: 4
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: rule, 
position: 4

versus

 TCPv4 [           1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 
(port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: policy
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: policy
 TCPv6 [           5] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = 
fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: policy
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: policy

meaning that in the later case the flow was said to be processed by:

Table: filter, chain: OUTPUT default policy

but if we look closely:

$ sudo iptables -t filter -L OUTPUT -n --line-numbers 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     icmpv6--  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0         

So it is hard to understand if the flow was processed by:

Table: filter, chain: OUTPUT default's policy OR

Table: filter, chain: OUTPUT, rule: #4

Let's remove the rule:

$ sudo iptables -t filter -D OUTPUT -p tcp -j ACCEPT

and yes, the flow stops working. 

It means that the TRACE iptables target cannot work with nf-tables (or 
nf-tables-compat).  I'll have to use nf-tables tracing features eventually.

Cheers o/

-rafaeldtinoco



-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: iptables-legacy + iptables-nft = iptables-broken ?

Reply via email to