iptables-legacy + iptables-nft = iptables-broken ?

Rafael David Tinoco rafaeldtinoco at ubuntu.com
Wed Jan 27 21:52:27 UTC 2021 

OK.. I think I found the issue...  sorry for the noise.

TL/DR version: 

all the iptables targets working in compatibility mode (-j NFLOG, -j TRACE, etc) might face issues and not work correctly when using nf-tables by default (nft_compat -> x_tables over nftables).

Explanation:

If I execute my tool with "iptables-legacy" and have a iptables-legacy rules only firewall.. it works perfectly.... Now, if I have a iptables-nft rules only firewall and run my tool with "iptables-nft".. it does not work:

 TCPv4 [           1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: rule, position: 4
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: rule, position: 4
 TCPv6 [           0] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: rule, position: 4
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: rule, position: 4

versus

 TCPv4 [           1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: policy
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: policy
 TCPv6 [           5] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
                                table: mangle, chain: OUTPUT, type: policy
                                table: mangle, chain: POSTROUTING, type: policy
                                table: filter, chain: OUTPUT, type: policy

meaning that in the later case the flow was said to be processed by:

Table: filter, chain: OUTPUT default policy

but if we look closely:

$ sudo iptables -t filter -L OUTPUT -n --line-numbers 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     icmpv6--  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0         

So it is hard to understand if the flow was processed by:

Table: filter, chain: OUTPUT default's policy OR

Table: filter, chain: OUTPUT, rule: #4

Let's remove the rule:

$ sudo iptables -t filter -D OUTPUT -p tcp -j ACCEPT

and yes, the flow stops working. 

It means that the TRACE iptables target cannot work with nf-tables (or nf-tables-compat).  I'll have to use nf-tables tracing features eventually.

Cheers o/

-rafaeldtinoco

More information about the ubuntu-devel mailing list