[pkg-netfilter-team] Bug#932899: iptables-translate silently discards --ctstate DNAT
Trent W. Buck
trentbuck at gmail.com
Wed Jul 24 14:22:25 BST 2019
Package: iptables
Version: 1.8.2-4
Severity: minor
This appears to be wrong -- the DNAT is "eaten":
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct state counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
I think the output should be
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct status dnat counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
nft add rule ip filter INPUT ct status dnat counter accept
I am new to nftables, so I may have missed something obvious.
If so, sorry to bother you!
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the pkg-netfilter-team
mailing list