iptables nat prerouting slight problem with adapter aliases

Bug #1492837 reported by David Favor on 2015-09-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Undecided
Unassigned

Bug Description

There seems to be a slight problem with iptables + adapter aliases.

Take the alias eth0:1 for example...

ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 00:25:90:eb:cb:ae
          inet addr:158.69.167.64 Bcast:158.69.255.255 Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

1) This rule works + seems incorrect (notice -i rather than -i eth0:1)

       iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dst 158.69.167.64 --dport 80 -j DNAT --to 10.0.3.189 80

2) This rule fails + seems correct (notice -i eth0:1)

       iptables -w -t nat -A PREROUTING -i eth0:1 -p tcp --dst 158.69.167.64 --dport 80 -j DNAT --to 10.0.3.189 80

In #2 the rule is consumed without generating any error.

Seems like either eth0:1 should be accepted + should work or should generate an error.

The iptables man page says -i is the "Name of an interface via which a packet was received" so I'm guessing anytime -i is passed with an alias, then the correct action is to either generate an error + die or better generate a warning that the alias has been converted to the base interface (any :\d+ has been stripped).

This is a low priority item + at the same time can suck a huge amount of time debugging.

David Favor (davidfavor) wrote :

By "works" I mean packets forward correctly only when base adapter is used (no :\d+) so aliases quietly drop packets.

David Favor (davidfavor) wrote :

Still broken on Vivid as of Sept 26 2015.

David Favor (davidfavor) wrote :

Still broken in ubuntu-15.10-wily + causes all manner of headaches debugging.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers