Re: Operation not supported when adding jump command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 25, 2019 at 06:55:41PM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Hello Pablo,
>
> Please see below  table/chain/rules/sets I program,  when I try to add jump from input-net, input-local to services  it fails with " Operation not supported" , I would appreciate if somebody could help to understand why:
>
> sudo nft add rule ipv4table input-net jump services
> Error: Could not process rule: Operation not supported
> add rule ipv4table input-net jump services
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> table ip ipv4table {
> 	set no-endpoint-svc-ports {
> 		type inet_service
> 		elements = { 8080, 8989 }
> 	}
>
> 	set no-endpoint-svc-addrs {
> 		type ipv4_addr
> 		flags interval
> 		elements = { 10.1.1.1, 10.1.1.2 }
> 	}
>
> 	chain input-net {
> 		type nat hook prerouting priority filter; policy accept;
> 	}
>
> 	chain input-local {
> 		type nat hook output priority filter; policy accept;
> 	}
>
> 	chain services {
> 		ip daddr @no-endpoint-svc-addrs tcp dport @no-endpoint-svc-ports reject with tcp reset
> 		ip daddr @no-endpoint-svc-addrs udp dport @no-endpoint-svc-ports reject with icmp type net-unreachable
> 	}
> }
>
> Thank you
> Serguei
>
Hi Serguei,

The reason it files is, from *man nft*:

> This statement [reject] is only valid in the input, forward and output chains,
> and user-defined chains which are only called from those chains.

(I inserted the bit in square brackets).

The wording could perhaps be clarified: what it really means to say is

Reject is only only valid in base chains using the input, forward or output
hooks, and user-defined chains which are only called from those chains.

Put that way, you can see why your command is rejected.

Cheers ... Duncan.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux