Bug 67835 - iptables can't DNAT OUTPUT packets any longer
iptables can't DNAT OUTPUT packets any longer
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
7.3
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-07-02 14:22 EDT by Alexandre Oliva
Modified: 2007-04-18 12:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-23 10:34:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexandre Oliva 2002-07-02 14:22:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610

Description of problem:
iptables -t nat -A OUTPUT -d 143.106.24.189 -j DNAT --to-dest 172.31.160.17,
that used to work with kernel 2.4.9-34, no longer works with kernel 2.4.18-5.  I
haven't verified that it is not iptables-1.2.5-3 that's passing incorrect
arguments to the kernel, but I've checked with strace that it is the kernel that
is returned the EINVAL error to userland.  The man page still says DNAT is valid
in the nat OUTPUT table.

Version-Release number of selected component (if applicable):
kernel-2.4.18-5.athlon

How reproducible:
Always

Steps to Reproduce:
Starting from empty (or otherwise) iptables, run:
  iptables -t nat -A OUTPUT -d ip.address.of.choice -j DNAT --to-dest
any.other.ip.address


Actual Results:  iptables: Invalid argument


Expected Results:  it should start redirecting outgoing packets originally
addressed to ip.address.of.choice to any.other.ip.address

Additional info:
Comment 1 Alexandre Oliva 2002-07-02 15:13:31 EDT
Looks like this is just because kernel.config says:

# CONFIG_IP_NF_NAT_LOCAL is not set

and ip_nat_rule does:

#ifndef CONFIG_IP_NF_NAT_LOCAL
	if (hook_mask & (1 << NF_IP_LOCAL_OUT)) {
		DEBUGP("DNAT: CONFIG_IP_NF_NAT_LOCAL not enabled\n");
		return 0;
	}
#endif

but why is this feature disabled by default?
Comment 2 Alexandre Oliva 2003-01-23 10:34:19 EST
I see this is fixed in the pheobe beta2 kernel, in that IP_NF_NAT_LOCAL is built
as a module.  Can't tell for how long it's been fixed, but thanks!

Note You need to log in before you can comment on or make changes to this bug.