Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ip6tables restore fails with DNAT target [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Sun Mar 03, 2013 11:32 am    Post subject: ip6tables restore fails with DNAT target [solved] Reply with quote

Hello,

I have a router with ipv6 connection and I am testing last ipv6 nat implementation with kernel and iptables versions that support it.

Code:

uname -a
Linux lowpower4 3.7.10-gentoo #1 SMP Fri Mar 1 15:15:10 CET 2013 x86_64 Intel(R) Atom(TM) CPU D525 @ 1.80GHz GenuineIntel GNU/Linux

equery u iptables
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-firewall/iptables-1.4.17:
 U I
 + + ipv6        : Adds support for IP version 6
 + + netlink     : Build against libnfnetlink which enables the nfnl_osf util
 - - static-libs : Build static libraries


This command is accepted from cmd line:

Code:

ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>


/etc/init.d/ip6tables save it but /etc/init.d/ip6tables start displays this error:

Code:

 * Loading ip6tables state and starting firewall ...
ip6tables-restore v1.4.17: unknown option "--to-source"
Error occurred at line: 7
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.   


Is it a bug or I'm doing something wrong?

Thanks


Last edited by Tender on Sun May 05, 2013 8:05 am; edited 2 times in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13511

PostPosted: Sun Mar 03, 2013 4:55 pm    Post subject: Reply with quote

Please post the full output of ip6tables-save and the contents of the saved rules-save file, if different. Feel free to obfuscate addresses. We just need to see the structure of the file.
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Mon Mar 04, 2013 8:00 am    Post subject: Reply with quote

Thanks, info follows:

ip6tables-save
Code:


# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013
*nat
:PREROUTING ACCEPT [1:1028]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i aiccu -p tcp -m tcp --dport <tcp port> -j DNAT --to-source <ipv6 addr>
COMMIT
# Completed on Mon Mar  4 08:49:53 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:53 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013
*raw
:PREROUTING ACCEPT [1:1028]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:53 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013
*mangle
:PREROUTING ACCEPT [1:1028]
:INPUT ACCEPT [1:1028]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:53 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013
*filter
:INPUT DROP [1:1028]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:53 2013


/var/lib/ip6tables/rules-save
Code:

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013
*nat
:PREROUTING ACCEPT [1:1028]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -i aiccu -p tcp -m tcp --dport <tcp port> -j DNAT --to-source <ipv6 addr>
COMMIT
# Completed on Mon Mar  4 08:49:46 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:46 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013
*raw
:PREROUTING ACCEPT [1:1028]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:46 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013
*mangle
:PREROUTING ACCEPT [1:1028]
:INPUT ACCEPT [1:1028]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:46 2013
# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013
*filter
:INPUT DROP [1:1028]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Mon Mar  4 08:49:46 2013


and

Code:

ip6tables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp      anywhere             anywhere             tcp dpt:<tcp port> to:<ipv6 addr>

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Mon Mar 04, 2013 9:31 am    Post subject: Re: ip6tables restore fails Reply with quote

Tender wrote:
Code:

ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>


/etc/init.d/ip6tables save it but /etc/init.d/ip6tables start displays this error:

Code:

 * Loading ip6tables state and starting firewall ...
ip6tables-restore v1.4.17: unknown option "--to-source"
Error occurred at line: 7
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.   


Is it a bug or I'm doing something wrong?

Thanks


It's not a bug! You're just doing something wrong :P

as in the command line, the DNAT jump waits for --to-dest and not --to-source which has no meaning for DNAT :wink:
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Mon Mar 04, 2013 11:36 am    Post subject: Re: ip6tables restore fails Reply with quote

truc wrote:
Tender wrote:
Code:

ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>


/etc/init.d/ip6tables save it but /etc/init.d/ip6tables start displays this error:

Code:

 * Loading ip6tables state and starting firewall ...
ip6tables-restore v1.4.17: unknown option "--to-source"
Error occurred at line: 7
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.   


Is it a bug or I'm doing something wrong?

Thanks


It's not a bug! You're just doing something wrong :P

as in the command line, the DNAT jump waits for --to-dest and not --to-source which has no meaning for DNAT :wink:


But if the cmd line is correct , the script that save the conf. is translating it badly.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Mon Mar 04, 2013 12:37 pm    Post subject: Reply with quote

Are you sure the ruleset were even saved? You may have to do it manually because ruleset automatic saving on shutdown is usually a bad idea and is probably disabled.


but, before that, you can see where this ruleset is saved and inspect it manually as it contains the date it was generated at (or at least if it is generated with ip6tables-save which is no longer obvious as it apparently contains an error!)

EDIT: oh, you've already posted it. So I'm out of idea! I have no NAT66 support right now(work computer), but I'll test tonight on my laptop
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Mon Mar 04, 2013 1:00 pm    Post subject: Reply with quote

truc wrote:
Are you sure the ruleset were even saved? You may have to do it manually because ruleset automatic saving on shutdown is usually a bad idea and is probably disabled.


but, before that, you can see where this ruleset is saved and inspect it manually as it contains the date it was generated at (or at least if it is generated with ip6tables-save which is no longer obvious as it apparently contains an error!)

EDIT: oh, you've already posted it. So I'm out of idea! I have no NAT66 support right now(work computer), but I'll test tonight on my laptop


Yes, ruleset automatic saving is disabled, the explicit save generate the file posted earlier.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Mon Mar 04, 2013 10:03 pm    Post subject: Reply with quote

Tender wrote:
Yes, ruleset automatic saving is disabled, the explicit save generate the file posted earlier.


Amazing!
Code:
$ sudo ip6tables-save -t nat > before
$ sudo ip6tables -t nat -I PREROUTING -p tcp --dport 333 -j DNAT --to-dest 2012:3456:789a:bcde:f012:3456:789a:bcde
$ sudo ip6tables-save -t nat > after
$ diff before after
1c1
< # Generated by ip6tables-save v1.4.17 on Mon Mar  4 22:05:41 2013
---
> # Generated by ip6tables-save v1.4.17 on Mon Mar  4 22:05:50 2013
6a7
> -A PREROUTING -p tcp -m tcp --dport 333 -j DNAT --to-source 2012:3456:789a:bcde:f012:3456:789a:bcde
8c9
< # Completed on Mon Mar  4 22:05:41 2013
---
> # Completed on Mon Mar  4 22:05:50 2013


Man! You've just discovered a bug! that's impressive! 8)

You definitely have to report it!
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Tue Mar 05, 2013 7:33 am    Post subject: Reply with quote

Where do I report it? Directly on upstream's bugzilla at netfilter.org?
I'm not used to report bugs.

Thanks
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Tue Mar 05, 2013 9:13 am    Post subject: Reply with quote

I'd say on the netfilter/iptables bugzilla http://bugzilla.netfilter.org/, but it requires you to have an account, so the lazy way is probably to report it on gentoo's bugzilla :wink:
(you also need a account there, but I suppose you already have one lying around!? :lol: )
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Tue Mar 05, 2013 11:42 am    Post subject: Reply with quote

Gentoo's Bugzilla – :D - Bug 460400
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Tue Mar 05, 2013 3:25 pm    Post subject: Reply with quote

roh! not even a clickable link for b.g.o! You're really of the lazy kind! :lol:

Code:
[bug=460400]Gentoo's Bugzilla [/bug]


Gentoo's Bugzilla ;)
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Tue Mar 05, 2013 3:39 pm    Post subject: Reply with quote

No, I'm not so lazy, I did not think about it.
I will do it next time.

Thanks
Back to top
View user's profile Send private message
Tender
Tux's lil' helper
Tux's lil' helper


Joined: 05 Nov 2005
Posts: 138

PostPosted: Sun May 05, 2013 8:04 am    Post subject: Reply with quote

It works with 1.4.18
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum