Hi,
I tried registering for bugzilla.netfilter.org but the confirmation email didn't come through, so I'm posting this bug report to this list.
I use nft 0.9.0 and iptables-nft 1.8.2 on Debian 10 and noticed nft complaining about "XT target TCPMSS not found" in a specific configuration. After some digging, I found it actually really simple to reproduce:
Step 1 - add the following rules:
`iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu'
`ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu'
Step 2 - run the nft command:
`nft list tables'
Result:
XT target TCPMSS not found
table ip6 filter
table ip filter
It's not important what you list, you can e.g. also run `nft list ruleset' which will throw the same error message.
It is important, however, to add both of the above rules for ip and ip6. The order is not important. But if you only one of the two rules, nft will not complain and show the ruleset correctly.
Please note that the iptables and ip6tables commands return exit code 0 for both rules. Running `ip{6,}tables -S' will also show both rules just fine. It is only nft that complains when both rules are present at the same time. And just to be clear: lsmod also shows both xt_TCPMSS and xt_tcpmss being loaded and available.
Regards,
Timo
