Your message dated Fri, 8 Nov 2024 19:12:33 +0000
with message-id <[email protected]>
and subject line Fixed upstream in 1.8.8
has caused the Debian Bug report #916918,
regarding iptables translation issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
916918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916918
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nftables
Version: 0.9.0-2
Severity: normal
The following examples used to work with native iptables, but either
fail or produce the wrong functionality with nftables:
bash# iptables-translate -4 -A bogoncheck -m set --match-set bogons4 src
-j DROP
nft # -4 -A bogoncheck -m set --match-set bogons4 src -j DROP
bash#
(i.e. fails to translate rule)
bash# iptables-translate -A INPUT -s 0.0.0.0/8 -j DROP
nft add rule ip filter INPUT counter drop
bash#
(ignores source address match to yield a rule that drops everything)
(0.0.0.0/8 != 0.0.0.0/0)
bash# iptables-translate -6 -A protect-re -s 2001:db8:19::/64 -p tcp
--sport 80 -j ACCEPT
nft add rule ip filter protect-re ip6 saddr 2001:db8::ffff:ffff:0:0/0
tcp sport 80 counter accept
bash#
(borks the source address match completely)
The last example is converted correctly by ip6tables-translate. But as I
used to have ipv4 and ipv6 rules in the same file, I'm baffled by why
iptables-restore-translate even tries to convert the ipv6 rules. Surely
it should just skip them?
I also ran into a baffling error message for a rule that uses the
multiport module, and couldn't find a workaround or even what the real
problem was:
iptables-translate-restore v1.8.2 (nf_tables): multiport needs `-p tcp',
`-p udp', `-p udplite', `-p sctp' or `-p dccp'
Here's an attempt to manually translate the line in question:
bash# iptables-translate -4 -A protect-re -m multiport -p udp -s
10.0.0.0/24 --ports 161,514 -j ACCEPT
nft # -4 -A protect-re -m multiport -p udp -s 10.0.0.0/24 --ports
161,514 -j ACCEPT
bash#
Best Regards,
--
Aleksi Suhonen
--- End Message ---
--- Begin Message ---
Version: 1.8.8-1
The upstream fix was release in 1.8.8.
J.
signature.asc
Description: PGP signature
--- End Message ---
