Hi. Couple of month ago I sent 2 RFC patches to allow using nftables and iptables NAT at same time. If this is unwanted (there was concern wrt. to the new hooks I had to add for this), we should at least improve/restrict iptables and nftables to 1. not allow load if iptable_nat when nft nat hook is active. 2. make it a requirement to register empty nat hook (required for the reply direction). 3. Do not permit more than one nat type per family/hook. 4. we should probably also add more checks on nat priority for nftables to reject hooks that can't work due to no-conntrack information being available at that point. I think not allowing nft and iptablles nat at the same time is fine as mixing has problems on its own, especially which transformation gets precedence, so I suspect the old RFC patches resolve one issue and add another one :) So, are the old RFC patches NAKed or not? If they are, I'd first look at #1 from the list but before I do some consensus would be welcome. Thanks, Florian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
