Fix problem when rules missing in PREROUTING #116
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sometimes the rules in PREROUTING and POSTROUTING are broken by another program. To solve this problem, the existence of a NATTER chain is no longer checked. Now Natter will always try to create all rules to be used. Add the InputRule.iptables / InputRule.nftables method to prevent duplicate rules from being created. Also fix the chain used with DNAT and SNAT according to the document of iptables and nftables. See the schematic below, DNAT has been tested on system with iptables and nftables. However, it is not certain that SNAT will work correctly, and further testing is needed.  Finally, a one-second pause was added before port testing (line 1786) to wait for external software to start the port when port forwarding is enabled, preventing the test from showing the port as closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sometimes the rules in PREROUTING and POSTROUTING are broken by another program. To solve this problem, the existence of a NATTER chain is no longer checked. Now Natter will always try to create all rules to be used.
Add the InputRule.iptables / InputRule.nftables method to prevent duplicate rules from being created.
Also fix the chain used with DNAT and SNAT according to the document of iptables and nftables. See the schematic below, DNAT has been tested on system with iptables and nftables. However, it is not certain that SNAT will work correctly, and further testing is needed.
There are also problems that need to be solved when the nftables of many systems do not create chains such as ip nat prerouting by default, and running natter on these systems will result in errors.
But I'm not sure if I should let natter create these chains, or write the relevant content into a readme and leave it up to the user to create them.
Finally, a one-second pause was added before port testing (line 1786) to wait for external software to start the port when port forwarding is enabled, preventing the test from showing the port as closed.