iptables 不支援 DNAT?

Question

iptables 不支援 DNAT?

kenlee0823 opened this issue a year ago · 1 comments

kernel 4.4.289+
iptables 之 NAT 功能測試皆無作用，查看(iptables -L -t nat)有 Warning 訊息。

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  anywhere             anywhere             udp dpt:20601 to:192.168.1.10:20601
Warning: Extension DNAT is not supported, missing kernel module?
DNAT       tcp  --  anywhere             anywhere             tcp dpt:58901 to:192.168.1.10:8901
Warning: Extension DNAT is not supported, missing kernel module?
DNAT       tcp  --  anywhere             anywhere             tcp dpt:51023 to:192.168.1.11:23
Warning: Extension DNAT is not supported, missing kernel module?
DNAT       udp  --  anywhere             anywhere             udp dpt:51027 to:192.168.1.11:27

配置參照 NUC970(kernel 3.10.108+)，make menuconfig 選項,其NAT功能正常，無 Warning 訊息。

  [*] Networking support 
      [*] Networking options  ---> 
          [*] Network packet filtering framework (Netfilter)  --->			
              IP: Netfilter Configuration  ---> 全選編入核心

.config內容:
NETFILTER 相關:
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_SYNPROXY=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_HL=y
CONFIG_NETFILTER_XT_NAT=y
CONFIG_NETFILTER_XT_TARGET_NETMAP=y
CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
CONFIG_NETFILTER_XT_MATCH_ECN=y
CONFIG_NETFILTER_XT_MATCH_HL=y

NF_* 相關:
CONFIG_NF_CONNTRACK=y
CONFIG_NF_LOG_COMMON=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_DUP_IPV4=y
CONFIG_NF_LOG_ARP=y
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NF_NAT_MASQUERADE_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_RPFILTER=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_SYNPROXY=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_CLUSTERIP=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

NAT 相關:
CONFIG_ARCH_HIBERNATION_POSSIBLE=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NFT_NAT=y
CONFIG_NETFILTER_XT_NAT=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NFT_CHAIN_NAT_IPV4=y
CONFIG_NF_NAT_MASQUERADE_IPV4=y
CONFIG_IP_NF_NAT=y

kernel 載入部份訊息:
[ 1.910899] Netfilter messages via NETLINK v0.30.
[ 1.916308] nf_conntrack version 0.5.0 (1945 buckets, 7780 max)
[ 1.925141] nf_tables: (c) 2007-2009 Patrick McHardy kaber@trash.net
[ 1.931716] nf_tables_compat: (c) 2012 Pablo Neira Ayuso pablo@netfilter.org
[ 1.941916] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 1.954991] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
[ 1.961566] arp_tables: (C) 2002 David S. Miller
...

Answer 1 · 2023-11-16T09:00:23.000Z

找到問題原因了，問題不在核心，是我以 Buildroot 2023.08 建立的rootfs，其 iptables-1.8.9 生成的模組/usr/lib/xtables/* 部份檔案和1.8.7以前版本不同。
將iptables 套件改成 1.8.7 即沒有錯誤訊息。運作也正常了。