Add nftables support #285
Comments
Is Netfilter Jool useless as well? |
|
I keep needing to reference the original emails when talking about this bug, so here are some quick links to them: (question) https://mail-lists.nic.mx/pipermail/jool-list/2019-May/000247.html |
|
If you need someone for testing -- just let me know! |
ydahhrk
added
Status: Active
It works but is also fairly flawed. Notable areas of improvement: - nft is not extensible, so adding the jool rule requires a custom nftables build. - Just like Netfilter Jool and iptables Jool, nftables Jool is jumping packets to postrouting, but since it hooks itself to the inet family, this might no longer be necessary. (Emphasis on "might.") - There are several unimplemented interface functions, such as nft_expr_ops.clone. Dunno what these do, but it probably wouldn't hurt to add them. - I'm currently testing on the filter chain, which is obviously not intended for this. Big chunk of #285.
|
I have a functioning prototype, in case you want to hammer it. Unfortunately, Download, compile and install the custom nftables build (BTW: probably uninstall the old one beforehand): (Edit 2020-04-28: Updated instructions to account for the new "jool" branches) (I'm testing in Ubuntu 18.04.3, by the way.) Download, compile and install the new Jool (BTW: probably uninstall the old one beforehand): Basic SIIT recipe: Basic NAT64 recipe: That translates in my test environment. Two notes:
How does it look? |
|
Here's the conversation in Netfilter Devel so far: |
|
Just for reference in case somebody else stumbles over this bug. I am getting the following error message on CentOS 8 which is like caused because CentOS 8 switches to nftables:
|
|
@ydahhrk Your new nft support works like a charm 😁 👍 One idea to avoid patching nft: is it possible to incorporate the modification of the nft chains into the |
@stv0g Thank you. With this bit of confirmation, and since it's pretty safe to say the mail thread was forgotten, I intend to upload a formal patch as another ping attempt tomorrow.
Wouldn't it be problematic from a user's perspective? If $ # Prepare a table with a bunch of rules.
$ sudo nftables/src/nft add table inet graybox
$ sudo nftables/src/nft add chain inet graybox test \{ type filter hook prerouting priority 0 \; \}
$ sudo nftables/src/nft add rule inet graybox test ct state invalid drop
$ sudo nftables/src/nft add rule inet graybox test jool siit default
$ sudo nftables/src/nft add rule inet graybox test ct state invalid drop
$
$ # Print table, according to jool-aware nft
$ sudo nftables/src/nft list ruleset
table inet graybox {
chain test {
type filter hook prerouting priority filter; policy accept;
ct state invalid drop
jool "siit" "default"
ct state invalid drop
}
}
$
$ # Print table, according to jool-unaware nft
$ sudo nft list ruleset
table inet graybox {
chain test {
type filter hook prerouting priority filter; policy accept;
ct state invalid drop
ct state invalid drop
}
}
netlink: Error: unknown expression type 'jool'. |
|
Oh yes. Thats a problem 👎 I had a brief look at the nftables-aware version of iptables. But I could't figure out if they support extensions. |
|
Poke sent:
What are you trying to do when this happens? |
Adding an instance via |
Hmm... can you be more specific? I think this might be a bug. The error message is too generic, I can't find where it's being thrown, and I don't see how nft could be influencing it. Can you still reproduce it? $ sudo modprobe -r jool
$ sudo modprobe jool
$ dmesg -t | tail -1 # kernel module version
NAT64 Jool v4.0.8.0 module inserted.
$ jool --version # userspace client version
4.0.8.0Also the arguments to the instance add command. |
|
@ydahhrk I cant reproduce my previous problem anymore. I suspect it was due to a version mismatch as you mentioned.. |
|
I found a segfault in the netfilter code somewhere. |
Jool statements are used to send packets to the Jool kernel module, which is an IP/ICMP translator: www.jool.mx Sample usage: modprobe jool jool instance add "name" --iptables -6 64:ff9b::/96 sudo nft add rule inet table1 chain1 jool nat64 "name" This feature was requested in Jool's bug tracker: NICMx/Jool#285 Signed-off-by: Alberto Leiva Popper <[email protected]>
Jool statements are used to send packets to the Jool kernel module, which is an IP/ICMP translator: www.jool.mx This feature was requested in Jool's bug tracker: NICMx/Jool#285 Signed-off-by: Alberto Leiva Popper <[email protected]>
|
@stv0g Try the following branches: https://github.com/ydahhrk/libnftnl/tree/jool |
|
@ydahhrk Thanks the new branches fixed the segfault for me 👍 |
|
Status update:
So the forecast is: My quick patch will not be accepted upstream. In order to reconcile Jool and nftables, nothing less than a full merge will be required. This means this issue and #273 are one and the same. Since this issue suddenly became a massive undertaking, my longterm plan is to finish #136 (because it's already in the testing phase), then implement #193, and then #285/#273. (This excludes emerging urgent minor patches such as #326 and #325, which of course need to be addressed first.) |
|
Since this issue became a duplicate of #273, I will now close it. In case anyone wants a quick 'n dirty version of this feature, my prototype is still available in my account and, as far as I know, is functional: |
Currently jool does not work with nftables. However some networks switched away from ipXtables completely and thus jool cannot be used in those environments anymore.
I can be a beta tester, if there is a need for it.
The text was updated successfully, but these errors were encountered: