I think the intention is for most users to use the ufw frontend to iptables; however, I believe nftables ought to work for those who wish to use it, so please do keep poking at it.
Thanks -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1503695 Title: nft nat not working Status in linux package in Ubuntu: Confirmed Status in nftables package in Ubuntu: New Bug description: Hi , I have installed an ubuntu 15.10 beta machine and configured nftables firewalling. While the regular firewalling works (using the default settings that come with the package), I found that nat rules are silently ignored. I've added this to the /etc/nftables.conf and read it: table ip nat { chain prerouting { type nat hook prerouting priority 0; ip daddr 1.2.3.4 tcp dport 80 redirect to 1234 tcp dport 80 redirect to 1235 } chain postrouting { type nat hook postrouting priority 0; } } following the example from http://wiki.nftables.org/wiki- nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Redirect (1.2.3.4 is just a placeholder for the address actually used here, i do not want to reveal the address to the bug report). nft reads this without complaining, and nft list table ip nat gives exactly that output (except for replacing 80 with "http"), so the configuration is read correctly. But it simply does not work. Without having any daemon listening on ports 1234, 1235 , traffic to port 80 works as usual. As long as there is not process waiting on 1234/1235, connection should be refused. Which is dangerous and a security flaw, since this was meant (and used in a similar way with iptables and Ubuntu 14.04) to avoid revealing sensitive data over the internet (an application that is not able to use https should be tunneled). When firewall rules have been loaded and accepted without any warning, one would expect them to run. Ive tried to unload all iptables-related kernel packages and to load packages like nft_nat, nft_redir, nft_redir_ipv4, but the direct connection to port 80 still works although it shouldn't. No error warning, no message. It just allows outgoing port 80 although it shouldn't. Which is a problem, since this is security-relevant. If it doesn't work, it should spit out some error message. (FYI: It was implemented under Ubuntu 14.04 with iptables -t nat -I OUTPUT -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-port 1234 ) My current guess: On that wiki page's bottem there's a hint that iptables and nft nat cannot be used at the same time. Unfortunately Ubuntu 15.10 still loads plenty of iptables stuff. Although I've tried to remove it all and it's kernel modules, I guess this could be a problem. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: nftables 0.4-7 ProcVersionSignature: Ubuntu 4.2.0-14.16-generic 4.2.2 Uname: Linux 4.2.0-14-generic x86_64 ApportVersion: 2.19-0ubuntu1 Architecture: amd64 CurrentDesktop: XFCE Date: Wed Oct 7 15:21:36 2015 InstallationDate: Installed on 2015-09-03 (33 days ago) InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825) SourcePackage: nftables UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1503695/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
