Your message dated Thu, 06 May 2021 22:49:04 +0000 with message-id <[email protected]> and subject line Bug#934584: fixed in systemd 248-1 has caused the Debian Bug report #934584, regarding IPMasquerade=yes uses iptables (not nftables) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 934584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934584 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: systemd Version: 241-5 Severity: normal File: /lib/systemd/network/80-container-ve.network Debian 10 defaults to nftables: https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#nftables ...but systemd doesn't for IPMasquerade=, see below. AFAICT the default behaviour of "machinectl start my-new-container" is to create a veth interface between the host and the container, with a private /28 IPv4 address range shared between them, masquerading (i.e. source NAT), and no IPv6 RA(?!). This is governed by /lib/systemd/network/80-container-ve.network AFAICT this is set up using *legacy* iptables, not using nftables. Here is a system with sshguard installed (uses native nftables), and two systemd containers running: bash5# iptables-save # Table `sshguard' is incompatible, use 'nft' tool. # Warning: iptables-legacy tables present, use iptables-legacy-save to see them bash5# iptables-legacy-save # Generated by iptables-save v1.8.3 on Mon Aug 12 18:01:37 2019 *nat :PREROUTING ACCEPT [7781:686652] :INPUT ACCEPT [7749:685024] :OUTPUT ACCEPT [2108:206384] :POSTROUTING ACCEPT [2108:206384] -A POSTROUTING -s 10.0.0.16/28 -j MASQUERADE -A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE COMMIT # Completed on Mon Aug 12 18:01:37 2019 bash5# nft list ruleset table ip sshguard { set attackers { type ipv4_addr flags interval } chain blacklist { type filter hook input priority filter - 10; policy accept; ip saddr @attackers drop } } table ip6 sshguard { set attackers { type ipv6_addr flags interval } chain blacklist { type filter hook input priority filter - 10; policy accept; ip6 saddr @attackers drop } } I *think* the nftables people said mixing legacy (xtables) and nftables on the same system is Unsupportedā¢ and Bad Thingsā¢ will happen, but I can't find a citation right now. I can do "busybox ping example.com" within the container, which implies systemd's MASQUERADE rules *are* working. This test nftables ruleset also appears to be working (while systemd's legacy ruleset are present): bash5# nft 'table a { chain b { type nat hook postrouting priority srcnat; }; chain c { type nat hook prerouting priority dstnat; tcp dport 80 counter log; }; }' bash5# nft list ruleset [...] table ip a { chain b { type nat hook postrouting priority srcnat; policy accept; } chain c { type nat hook prerouting priority dstnat; policy accept; tcp dport 80 counter packets 1 bytes 60 log } } ...so, I may be freaking out about nothing. At a minimum, the legacy rules created by systemd are "invisible" to an admin looking directly at "nft list ruleset", which is the only place they will look if they expect the system to be nftables native. That violates the principle of least surprise. Is it possible to make systemd use nftables instead of iptables, when the system is so configured? I think this would have Just Happened automatically if systemd was actually running iptables(8) or iptables-restore(8), but I think it is instead talking direct to the kernel in src/shared/firewall-util.c:fw_add_masquerade() ? PS: I don't know how to do it directly in C, but from nft(8), your MASQUERADE rules would look like this (comments optional): #!/usr/sbin/nft --file table ip systemd-container-blah-blah { chain postrouting { type nat hook postrouting priority srcnat policy accept ip saddr 10.0.0.0/28 masquerade comment "for systemd-nspawn@my-new-container" ip saddr 10.0.0.16/28 masquerade comment "for systemd-nspawn@my-other-container" } chain prerouting { type nat hook prerouting priority dstnat policy accept continue comment "Apparently the postrouting chain won't work unless unless this prerouting chain also exists" } } The "modern" way to do it would be to put all the IP ranges into a named set, so that you just add/remove from the set, not from the rules. This is analogous to "iptables -m set --help" and ipset(8), which you could already have used for efficiency when you have hundreds of containers: #!/usr/sbin/nft --file table ip systemd-container-blah-blah { set systemd-container-masquerade-ranges { type ipv4_addr; flags interval; } chain postrouting { type nat hook postrouting priority srcnat policy accept ip saddr @systemd-container-masquerade-ranges masquerade comment "for systemd-nspawn@" } chain prerouting { type nat hook prerouting priority dstnat policy accept continue comment "Apparently the postrouting chain won't work unless unless this prerouting chain also exists" } } Then when a container comes up, do nft 'add element ip systemd-container-blah-blah systemd-container-masquerade-ranges { 10.0.0.0/24 }' In fact, this is exactly what sshguard is doing for its filter blacklist.
--- End Message ---
--- Begin Message ---Source: systemd Source-Version: 248-1 Done: Michael Biebl <[email protected]> We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl <[email protected]> (supplier of updated systemd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 06 May 2021 23:00:08 +0200 Source: systemd Architecture: source Version: 248-1 Distribution: experimental Urgency: medium Maintainer: Debian systemd Maintainers <[email protected]> Changed-By: Michael Biebl <[email protected]> Closes: 898530 934584 934676 988132 Changes: systemd (248-1) experimental; urgency=medium . [ Balint Reczey ] * New upstream version 248 - add support for answering DNSSEC questions on the stub resolver (Closes: #988132) - turn off DNSSEC validation when timesyncd resolves hostnames (Closes: #898530) - add networkd/nspawn nftables backend (Closes: #934584) - support ipv6 for masquerade and dnat in nspawn and networkd (Closes: #934676) * Refresh patches * debian/rules: Enable new systemd-sysext tool * debian/rules: Build support for flushing of the nscd caches * debian/rules: Build translations for debs but not for udebs * debian/rules: Build without TPM2 support. This is a new feature and needs further review. * Ship systemd-cryptenroll in systemd package * Update symbols file for libsystemd0 * debian/tests/control: Upstream test depends on attr * debian/udev.postinst: Create the sgx system group. Intel SGX enclave device nodes are now owned by this group. * debian/rules: Don't ship README files in (/usr)/lib/*.d. README files are typically shipped in /usr/share/doc. * Revert "pager: stop disabling urlification under a pager" Debian and Ubuntu do not yet have a less version that supports urlification. This requires less 563 or later. Checksums-Sha1: de83696851e2440afc9eba8270a48b798a8ea6b0 5162 systemd_248-1.dsc 76d0d2ff43db75ed408972f9e9290507863b46fa 10306883 systemd_248.orig.tar.gz b18ca95fef75e4a92a3226289cb6234a78018084 158764 systemd_248-1.debian.tar.xz 5f3563788808a79522d7bbc3be1cafa7de4dba70 9319 systemd_248-1_source.buildinfo Checksums-Sha256: ccf352c65698bc59e1c6559a941b4c51ba0bad952ac37601d872ef9989f847fa 5162 systemd_248-1.dsc 4bd75d16e2dcb4d3396f81b2a2ad04e0afaef7183f433aeea664a717e2e20ca1 10306883 systemd_248.orig.tar.gz 4cfb646db8ae06dcb6c1f5640fb8e7fa86bbfb52d4b4a05d5998a047a908b8e9 158764 systemd_248-1.debian.tar.xz a4c75a10e717f0cd1ad6583d08e2e243bdec712f164a8d33bc542e730e6cf188 9319 systemd_248-1_source.buildinfo Files: 9b1026071da181a9ed69a2e916454eac 5162 admin optional systemd_248-1.dsc 00131adf0e98c1fd8a7fde4eb47f10c8 10306883 admin optional systemd_248.orig.tar.gz ed671184d4ee76750758d23b19608302 158764 admin optional systemd_248-1.debian.tar.xz be1bf48efa21f92b79dc63d98db7460d 9319 admin optional systemd_248-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmCUbsYACgkQauHfDWCP ItwsUg/8C8Lf+AdbJHRz63z9qCJ73xg3jTOOXPEMjsgJxrJUA3laWrBWdoz9T4ey l9OwoMSGyYJa5albQbirprZveey/XqUXMbYlcpUu648WOeScU/2NGVLrqByp8bgr X1TXYKAd7DrQ6fpuH9Go3NRG0v+NE1w+ZvAPjCTlx32vpUbVNfDwob5b0PDCvIUT k0j1k3FAxkEU38shMzNXYUGyvTkeFVMN+wNL6K0A4IdNjAuHRyCWneEFNecKmZ0U tlLBRNKC/8kmgoVywptsp4oH1BEJ7ErxaZ3rTDV1tRPLUtsVWb+pAJqA1b2471L2 Kt8g50PfYARSrkIC2WzZ9+SopxD498Hs8+vvEHTM1vbbR0D3xCSOsHqvhwXQwbZS 2bUsj1BiiTlQhyK8ICHCnKXYuNhVqX9nUc2Fc4LqGNG4GAeQFBE+ufWUtubLS2m/ DjjAO8m317qVIJZMymmyScY7kfFYaKBQT0FVRNbDniBS1F/Bs328I8HwK+M4lrKa BHwQcnMWU/f6nOeWzxxhNyyqzET1EvEI7zxN+DDhCBqdlC0Ob7RKtTBQB7YWVdB1 OR95BkTWBubq9Hc3M9pznYSlMxdg4bVs01+qM/2dV02zqZSHku70w5NmWDZEOL9T 3a+MsVN74y2Ou8HEUFmr8RHbGFtfjaFOjEsO0KkNfX/r4rh+PCA= =WJ9A -----END PGP SIGNATURE-----
--- End Message ---
