portmap: ensure nftables backend only intercept local traffic #1210
Conversation
champtar
force-pushed
the
fix-portmap_nftables
branch
from
10f9afb to
a50bdb6
Compare
This aligns the behavior with the iptables backend.
Implicit chain was introduced in
- kernel 5.9: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
- nftables 0.9.7
https://git.netfilter.org/nftables/commit/?id=c330152b7f7779f15dba3e0862bf5616e7cb3eab
https://lwn.net/Articles/835364/
Fixes 9296c5f
Fixes 01a94e1
Signed-off-by: Etienne Champetier <[email protected]>
champtar
force-pushed
the
fix-portmap_nftables
branch
from
a50bdb6 to
409f4a2
Compare
| "jump {", | ||
| "jump", hostIPHostPortsChain, ";", | ||
| "jump", hostPortsChain, ";", | ||
| "}", |
There was a problem hiding this comment.
If we're always going to jump to both chains, then there's not really any need to have separate chains. You could just merge hostip_hostports into hostports, right?
There was a problem hiding this comment.
The problem is the update path, I haven't had time to update this PR, yes the end goal is to have 1 chain, but if hostip_hostports exists we need to continue using it
There was a problem hiding this comment.
ah... good point. OK, in that case, just make prerouting be the same as output, with one <conditions> jump hostip_hostports and one <conditions> fib daddr type local jump hostports. (The type local check isn't needed for the hostip_hostports chain anyway since all of the rules there only apply to specific destination IPs.)
2 participants
This aligns the behavior with the iptables backend.
Implicit chain was introduced in
https://git.netfilter.org/nftables/commit/?id=c330152b7f7779f15dba3e0862bf5616e7cb3eab
https://lwn.net/Articles/835364/
Fixes 9296c5f
Fixes 01a94e1
Fixes #1209