nftables nat counter incomplete

user236012

6/23/23, 10:19 PM

I'm trying to learn nftables/nat and have some simple experimental setup:

Machine1 (router):
    - eth0 192.168.0.1
    - eth1 192.168.1.1

Machine2:
    - eth0 192.168.1.2

For Machine1 I setup NAT:

table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 192.168.1.2 counter packets 0 bytes 0
                ip saddr 192.168.1.2 counter packets 6 bytes 420
                ip saddr 192.168.1.0/24 oif "eth0" snat to 192.168.0.1
        }
}

NAT works fine, I can access 192.168.0.1 (and beyond) from Machine2.

However, I struggle with the counter: The numbers above are from a wget stackoverflow.com from Machine2, and are way below what ls -l index.html is telling (~180k). I could imaging, that these are just the outgoing bytes/packets, incoming are just not counted (I added the daddr counter in hope to get these).

What am I missing?

0 + 0

nftables

Score:0

Server

Tero Kilkanen

6/24/23, 10:47 PM

When a connection goes through NAT, the connection is processed with the help of connection tracking. This means that only initial packets for the connection (SYN, SYN-ACK, ACK) pass through the NAT rule.

Rest of the packets are processed with the connection tracking entry that is set up when NAT is started.

If you want to count packets, you need to add rules to filter table FORWARD chain.

0 + 0

A.B

7/5/23, 10:20 AM

Actually only the first packet is going through NAT (for TCP that's the SYN packet). Even SYN-ACK and ACK are part of a conntrack entry already existing and altered for NAT operations by the only time nftables' nat rule saw the first packet (in a conntrack entry in NEW state). These following packets are in the same conntrack entry thus not in NEW state anymore thus not going again through nftables' nat.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: nftables nat counter incomplete

TH: ตัวนับ nftables nat ไม่สมบูรณ์

RO: nftables nat counter incomplet

RU: nftables nat counter неполный

VI: nftables bộ đếm nat không đầy đủ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.