614358 – net-firewall/nftables-0.7 does not save dnat rules correctly

Bug 614358 - net-firewall/nftables-0.7 does not save dnat rules correctly

Summary: net-firewall/nftables-0.7 does not save dnat rules correctly

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-31 17:32 UTC by Francisco J. Vazquez
Modified:	2019-06-29 23:45 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francisco J. Vazquez 2017-03-31 17:32:41 UTC

The /usr/libexec/nftables/nftables.sh script relies on "nft list" to save the current state:

nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}

However (at least in my systems) the dnat rules are incomplete when shown:

# nft add table ip nat
# nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
# nft add rule nat prerouting tcp dport 12345 dnat 10.10.10.2:23456
# nft list table nat
table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                tcp dport 12345 dnat to :23456
        }
}

"nft list table nat" doesn't show the ip address (but it's loaded correctly, because the rule works fine), so it is not saved by /etc/init.d/nftables. 

Thus, the rule works when I introduce it manually, but it stops working when restored by the init script at boot.

Comment 1 Francisco Blas Izquierdo Riera gentoo-dev

2019-06-29 23:45:51 UTC

This is already fixed by =net-firewall/nftables-0.8-r3