On 09.01, Arturo Borrero Gonzalez wrote:
> On 9 January 2015 at 22:32, Linke <linkerpro@xxxxxxx> wrote:
> > Hello,
> >
> > I'm stable receive a kernel panic in this ruleset:
> >
> > nft add table firewall
> > nft add chain firewall prerouting {type nat hook prerouting priority 0\;}
> > nft add rule firewall prerouting masquerade
> >
> >
> > trying at Archlinux
> >
> > official latest 3.18-grsec kernel
> > and AUR 3.19.0-rc3-gbdec419 (builded from git.kernel.org)
> >
>
> Why are you using masquerade in a prerouting hook? It only makes sense
> in postrouting. Is a case I've not tested.
>
> Anyway, that should not happen. I will investigate.
Well, we only check for the NAT property, not the hooks. We need to
make sure its only used in the appropriate hook.
Related to this, what also kind of sucks is that you have to manually
take care of creating the opposite NAT chain (pre/postrouting, in/output)
to have NAT work properly. We should make sure that the user can't
mess this up. Simlarly we need to prevent to have multiple NAT
chains for the same hook.
Generally I think the current NAT chain implementation is very
wrong. We need to invoke the core functions once for each direction
if NAT is used independantly of any chains. So they probably
shouldn't be tied together.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
