# ip6tables restore fails with DNAT target [solved]

## Tender

Hello,

I have a router with ipv6 connection and I am testing last ipv6 nat implementation with kernel and iptables versions that support it.

```

uname -a

Linux lowpower4 3.7.10-gentoo #1 SMP Fri Mar 1 15:15:10 CET 2013 x86_64 Intel(R) Atom(TM) CPU D525 @ 1.80GHz GenuineIntel GNU/Linux

equery u iptables

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-firewall/iptables-1.4.17:

 U I

 + + ipv6        : Adds support for IP version 6

 + + netlink     : Build against libnfnetlink which enables the nfnl_osf util

 - - static-libs : Build static libraries

```

This command is accepted from cmd line:

```

ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>

```

/etc/init.d/ip6tables save it but /etc/init.d/ip6tables start displays this error:

```

 * Loading ip6tables state and starting firewall ...

ip6tables-restore v1.4.17: unknown option "--to-source"

Error occurred at line: 7

Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.   

```

Is it a bug or I'm doing something wrong?

ThanksLast edited by Tender on Sun May 05, 2013 8:05 am; edited 2 times in total

----------

## Hu

Please post the full output of ip6tables-save and the contents of the saved rules-save file, if different.  Feel free to obfuscate addresses.  We just need to see the structure of the file.

----------

## Tender

Thanks, info follows:

ip6tables-save

```

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013

*nat

:PREROUTING ACCEPT [1:1028]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i aiccu -p tcp -m tcp --dport <tcp port> -j DNAT --to-source <ipv6 addr>

COMMIT

# Completed on Mon Mar  4 08:49:53 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013

*security

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:53 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013

*raw

:PREROUTING ACCEPT [1:1028]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:53 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013

*mangle

:PREROUTING ACCEPT [1:1028]

:INPUT ACCEPT [1:1028]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:53 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:53 2013

*filter

:INPUT DROP [1:1028]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:53 2013

```

/var/lib/ip6tables/rules-save

```

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013

*nat

:PREROUTING ACCEPT [1:1028]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

[0:0] -A PREROUTING -i aiccu -p tcp -m tcp --dport <tcp port> -j DNAT --to-source <ipv6 addr>

COMMIT

# Completed on Mon Mar  4 08:49:46 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013

*security

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:46 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013

*raw

:PREROUTING ACCEPT [1:1028]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:46 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013

*mangle

:PREROUTING ACCEPT [1:1028]

:INPUT ACCEPT [1:1028]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:46 2013

# Generated by ip6tables-save v1.4.17 on Mon Mar  4 08:49:46 2013

*filter

:INPUT DROP [1:1028]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

COMMIT

# Completed on Mon Mar  4 08:49:46 2013

```

and

```

ip6tables -L -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

DNAT       tcp      anywhere             anywhere             tcp dpt:<tcp port> to:<ipv6 addr>

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

```

----------

## truc

 *Tender wrote:*   

> 
> 
> ```
> 
> ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>
> ...

 

It's not a bug! You're just doing something wrong  :Razz: 

as in the command line, the DNAT  jump waits for --to-dest and not --to-source which has no meaning for DNAT  :Wink: 

----------

## Tender

 *truc wrote:*   

>  *Tender wrote:*   
> 
> ```
> 
> ip6tables -t nat -A PREROUTING -i $IFSIXXS -p tcp --dport <tcp port> -j DNAT --to-dest <my ipv6 address>
> ...

 

But if the cmd line is correct , the script that save the conf. is translating it badly.

----------

## truc

Are you sure the ruleset were even saved? You may have to do it manually because ruleset automatic saving on shutdown is usually a bad idea and is probably disabled.

but, before that, you can see where this ruleset is saved and inspect it manually as it contains the date it was generated at (or at least if it is generated with ip6tables-save which is no longer obvious as it apparently contains an error!)

EDIT: oh, you've already posted it. So I'm out of idea! I have no NAT66 support right now(work computer), but I'll test tonight on my laptop

----------

## Tender

 *truc wrote:*   

> Are you sure the ruleset were even saved? You may have to do it manually because ruleset automatic saving on shutdown is usually a bad idea and is probably disabled.
> 
> but, before that, you can see where this ruleset is saved and inspect it manually as it contains the date it was generated at (or at least if it is generated with ip6tables-save which is no longer obvious as it apparently contains an error!)
> 
> EDIT: oh, you've already posted it. So I'm out of idea! I have no NAT66 support right now(work computer), but I'll test tonight on my laptop

 

Yes, ruleset automatic saving is disabled, the explicit save generate the file posted earlier.

----------

## truc

 *Tender wrote:*   

> Yes, ruleset automatic saving is disabled, the explicit save generate the file posted earlier.

 

Amazing!

```
$ sudo ip6tables-save -t nat > before

$ sudo ip6tables -t nat -I PREROUTING -p tcp --dport 333 -j DNAT --to-dest 2012:3456:789a:bcde:f012:3456:789a:bcde

$ sudo ip6tables-save -t nat > after

$ diff before after

1c1

< # Generated by ip6tables-save v1.4.17 on Mon Mar  4 22:05:41 2013

---

> # Generated by ip6tables-save v1.4.17 on Mon Mar  4 22:05:50 2013

6a7

> -A PREROUTING -p tcp -m tcp --dport 333 -j DNAT --to-source 2012:3456:789a:bcde:f012:3456:789a:bcde

8c9

< # Completed on Mon Mar  4 22:05:41 2013

---

> # Completed on Mon Mar  4 22:05:50 2013
```

Man! You've just discovered a bug! that's impressive!  :Cool: 

You definitely have to report it!

----------

## Tender

Where do I report it? Directly on upstream's bugzilla at netfilter.org?

I'm not used to report bugs.

Thanks

----------

## truc

I'd say on the netfilter/iptables bugzilla http://bugzilla.netfilter.org/, but it requires you to have an account, so the lazy way is probably to report it on gentoo's bugzilla  :Wink: 

(you also need a account there, but I suppose you already have one lying around!?  :Laughing:  )

----------

## Tender

Gentoo's Bugzilla –   :Very Happy:  - Bug 460400

----------

## truc

roh! not even a clickable link for b.g.o! You're really of the lazy kind!  :Laughing: 

```
[bug=460400]Gentoo's Bugzilla [/bug]
```

Gentoo's Bugzilla   :Wink: 

----------

## Tender

No, I'm not so lazy, I did not think about it.

I will do it next time.

Thanks

----------

## Tender

It works with 1.4.18

----------

