On 28 April 2017 at 10:28, Phil Sutter <phil@xxxxxx> wrote:
> On Fri, Apr 28, 2017 at 10:11:51AM +0200, Arturo Borrero Gonzalez wrote:
>> On 28 April 2017 at 10:05, Phil Sutter <phil@xxxxxx> wrote:
>> >>
>> >> This warning will be printed even in rulesets loaded with '-f'
>> >> which first creates the masq rule an then the other chain.
>> >
>> > Hmm. I tested it with the following config and it works fine:
>> >
>> > | table ip nat {
>> > | chain post {
>> > | type nat hook postrouting priority 0; policy accept;
>> > | oifname "veth2" masquerade
>> > | }
>> > |
>> > | chain pre {
>> > | type nat hook prerouting priority 0; policy accept;
>> > | }
>> > | }
>> >
>> > OK, with a config consisting of several 'add' commands, it indeed warns.
>> >
>> >> I think is just a matter of documenting *everywhere* that this is the
>> >> expected behaviour, not a bug.
>> >
>> > Yeah, I should indeed have done that first, also because masquerade
>> > statement is not documented at all yet.
>> >
>>
>> The best current documentation is this:
>>
>> https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
>
> Ah, thanks for the pointer! I tend to ignore anything that's not in the
> man page. :)
Well, I guess adding more info to the man page won't hurt.
Things I would add:
* some bits about NAT chains configuration (this issue)
* info about base chains priorities
* some bits about atomic operations
etc
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
