--random parameter not working with SNAT

[tom130380]

There seems to be an issue storing the --random parameter in the list of parameters of an SNAT target:

import iptc
table = iptc.Table("nat")
rule = iptc.Rule()
target = rule.create_target("SNAT")
target.random = ""
target.to_source = "10.10.101.254"
target.get_all_parameters()
{'to-source': ['10.10.101.254']}
iptc.easy.decode_iptc_rule(rule)
{'target': {'SNAT': {'to-source': '10.10.101.254'}}, 'counters': (0, 0)}

or via encoding a rule by using a dict and then decoding it again:

rule_dict = {'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254', 'random': ''}}, 'counters': (0, 0)}
rule = iptc.easy.encode_iptc_rule(rule_dict)
iptc.easy.decode_iptc_rule(rule)
{'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254'}}, 'counters': (0, 0)}

Am I missing something or is this indeed a bug?

[jllorente]

Hi @tom130380 ,

I don't have an access to a Linux box at the moment, but could you try adding the rule via the CLI with the iptables command and then use the library to iptc.easy.dump_chain() and share the output ? 🙏

[tom130380]

Hi @jllorente ,
here is what you asked for:

[root@mybox ~]# iptables -A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random -t nat

[root@mybox ~]# iptables -S -t nat

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random

[root@mybox ~]# python

Python 3.8.13 (default, Jun 22 2022, 02:56:09) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import iptc
>>> iptc.easy.dump_chain("nat", "POSTROUTING")
[{'src': '10.10.121.254/32', 'target': {'SNAT': {'to-source': '10.10.101.254', 'random': ''}}, 'counters': (0, 0)}]

[jllorente]

Hi @tom130380,
It seem all the information is certainly there and you can insert to and read from the kernel, so there is not a bug nor is a known issue - https://github.com/ldx/python-iptables/#known-issues

I was able to reproduce your steps, and while I haven't been involved with this project for many years now, I do remember something about the native Table/Chain/Rule modules having some particularities to them, specially if you were playing around with a rule without inserting it into the kernel or reading it from a chain.

Sorry I cannot be of more help!

On a personal note, I have relied heavily on the ipct.easy module and leveraged dictionary rules for my projects.

[tom130380]

Hi @jllorente , thanks for your reaction. I'm not sure though why you say it's not a bug because with the current implementation, it is impossible to insert a rule in the kernel with the "--random" parameter.
So instead of this:
-A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254 --random
you get this:
-A POSTROUTING -s 10.10.121.254/32 -j SNAT --to-source 10.10.101.254
Is there anyone still working on this project?

[jkklemm]

This problem no longer occurs, at least with iptables with version 1.8.9. I think it should be added to the known issues.