I updated from an older rolling release of 1.4 to 1.4.0-RC1 and had to make some corrections to the firewall after the migration. It now appears to be working fine.
On the other hand, I am seeing problems with NAT. In spite of this simple configuration,
$ sh nat source rules
Rule Source Destination Proto Out-Int Translation
------ -------------- ------------- ------- --------- -------------
5000 192.168.0.0/16 0.0.0.0/0 IP eth0 masquerade
sport any dport any
5010 192.168.0.0/16 0.0.0.0/0 IP eth3 masquerade
sport any dport any
hosts with non-matching IPs going out tunnel interfaces (wg, gre) were also having NAT applied.
Eventually I found iptables
had applied rules, but I don’t use iptables
.
$ sudo iptables -L -t nat
# Table `nat' contains incompatible base-chains, use 'nft' tool to list them.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETAVARK-HOSTPORT-DNAT all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NETAVARK-HOSTPORT-DNAT all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETAVARK-HOSTPORT-MASQ all -- anywhere anywhere
Chain NETAVARK-HOSTPORT-DNAT (2 references)
target prot opt source destination
Chain NETAVARK-HOSTPORT-MASQ (1 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere /* netavark portfw masq mark */ mark match 0x2000/0x2000
Chain NETAVARK-HOSTPORT-SETMARK (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x2000
Where is this coming from? I removed these rules with iptables -F -t nat
and now NAT is working correctly according to config.
I did not see this in my old rolling release of 1.4, but that was before the major firewall updates.