Hello Florian,
Thank you very much for your reply. Once I changed to Input chain type, the rule worked. It seems iptables DO allow the same rule configuration see below:
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-SERVICES -d 57.131.151.19/32 -p tcp -m comment --comment "default/portal:portal has no endpoints" -m tcp --dport 8989 -j REJECT --reject-with icmp-port-unreachable
This config is from working kubernetes cluster for the service which has no endpoints. Do you know if this change in behavior was a design decision or it is a bug?
Thank you
Serguei
On 2019-11-26, 7:21 AM, "Florian Westphal" <fw@xxxxxxxxx> wrote:
Serguei Bezverkhi (sbezverk) <sbezverk@xxxxxxxxx> wrote:
> Hello Pablo,
>
> Please see below table/chain/rules/sets I program, when I try to add jump from input-net, input-local to services it fails with " Operation not supported" , I would appreciate if somebody could help to understand why:
>
> sudo nft add rule ipv4table input-net jump services
> Error: Could not process rule: Operation not supported
> add rule ipv4table input-net jump services
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
iirc "reject" only works in input/forward/postrouting hooks.
