--random parameter not working with SNAT

ldx / python-iptables

Python bindings for iptables

730 stars 182 forks source link

--random parameter not working with SNAT #339

Open tom130380 opened 1 year ago

tom130380 commented 1 year ago

There seems to be an issue storing the --random parameter in the list of parameters of an SNAT target:

import iptc table = iptc.Table("nat") rule = iptc.Rule() target = rule.create_target("SNAT") target.random = "" target.to_source = "10.10.101.254" target.get_all_parameters() {'to-source': ['10.10.101.254']} iptc.easy.decode_iptc_rule(rule) {'target': {'SNAT': {'to-source': '10.10.101.254'}}, 'counters': (0, 0)}

or via encoding a rule by using a dict and then decoding it again:

rule_dict = {'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254', 'random': ''}}, 'counters': (0, 0)} rule = iptc.easy.encode_iptc_rule(rule_dict) iptc.easy.decode_iptc_rule(rule) {'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254'}}, 'counters': (0, 0)}

Am I missing something or is this indeed a bug?

jllorente commented 1 year ago

Hi @tom130380 ,

I don't have an access to a Linux box at the moment, but could you try adding the rule via the CLI with the iptables command and then use the library to iptc.easy.dump_chain() and share the output ? 🙏

tom130380 commented 1 year ago

Hi @jllorente , here is what you asked for:

[root@mybox ~]# iptables -A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random -t nat

[root@mybox ~]# iptables -S -t nat

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random

[root@mybox ~]# python

Python 3.8.13 (default, Jun 22 2022, 02:56:09) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import iptc
>>> iptc.easy.dump_chain("nat", "POSTROUTING")
[{'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254', 'random': ''}}, 'counters': (0, 0)}]

jllorente commented 1 year ago

Hi @tom130380, It seem all the information is certainly there and you can insert to and read from the kernel, so there is not a bug nor is a known issue - https://github.com/ldx/python-iptables/#known-issues

I was able to reproduce your steps, and while I haven't been involved with this project for many years now, I do remember something about the native Table/Chain/Rule modules having some particularities to them, specially if you were playing around with a rule without inserting it into the kernel or reading it from a chain.

Sorry I cannot be of more help!

On a personal note, I have relied heavily on the ipct.easy module and leveraged dictionary rules for my projects.

tom130380 commented 1 year ago

Hi @jllorente , thanks for your reaction. I'm not sure though why you say it's not a bug because with the current implementation, it is impossible to insert a rule in the kernel with the "--random" parameter. So instead of this: -A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random you get this: -A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 Is there anyone still working on this project?

jkklemm commented 10 months ago

This problem no longer occurs, at least with iptables with version 1.8.9. I think it should be added to the known issues.