Bug 67835

Summary: iptables can't DNAT OUTPUT packets any longer
Product: [Retired] Red Hat Linux Reporter: Alexandre Oliva <aoliva>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: l_magnus_j
Target Milestone: ---   
Target Release: ---   
Hardware: athlon   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-01-23 15:34:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexandre Oliva 2002-07-02 18:22:39 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610

Description of problem:
iptables -t nat -A OUTPUT -d 143.106.24.189 -j DNAT --to-dest 172.31.160.17,
that used to work with kernel 2.4.9-34, no longer works with kernel 2.4.18-5.  I
haven't verified that it is not iptables-1.2.5-3 that's passing incorrect
arguments to the kernel, but I've checked with strace that it is the kernel that
is returned the EINVAL error to userland.  The man page still says DNAT is valid
in the nat OUTPUT table.

Version-Release number of selected component (if applicable):
kernel-2.4.18-5.athlon

How reproducible:
Always

Steps to Reproduce:
Starting from empty (or otherwise) iptables, run:
  iptables -t nat -A OUTPUT -d ip.address.of.choice -j DNAT --to-dest
any.other.ip.address


Actual Results:  iptables: Invalid argument


Expected Results:  it should start redirecting outgoing packets originally
addressed to ip.address.of.choice to any.other.ip.address

Additional info:
Comment 1 Alexandre Oliva 2002-07-02 19:13:31 UTC 
Looks like this is just because kernel.config says:

# CONFIG_IP_NF_NAT_LOCAL is not set

and ip_nat_rule does:

#ifndef CONFIG_IP_NF_NAT_LOCAL
	if (hook_mask & (1 << NF_IP_LOCAL_OUT)) {
		DEBUGP("DNAT: CONFIG_IP_NF_NAT_LOCAL not enabled\n");
		return 0;
	}
#endif

but why is this feature disabled by default?
Comment 2 Alexandre Oliva 2003-01-23 15:34:19 UTC 
I see this is fixed in the pheobe beta2 kernel, in that IP_NF_NAT_LOCAL is built
as a module.  Can't tell for how long it's been fixed, but thanks!