On Mon, Nov 25, 2019 at 06:55:41PM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Hello Pablo,
>
> Please see below table/chain/rules/sets I program, when I try to add jump from input-net, input-local to services it fails with " Operation not supported" , I would appreciate if somebody could help to understand why:
>
> sudo nft add rule ipv4table input-net jump services
> Error: Could not process rule: Operation not supported
> add rule ipv4table input-net jump services
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> table ip ipv4table {
> set no-endpoint-svc-ports {
> type inet_service
> elements = { 8080, 8989 }
> }
>
> set no-endpoint-svc-addrs {
> type ipv4_addr
> flags interval
> elements = { 10.1.1.1, 10.1.1.2 }
> }
>
> chain input-net {
> type nat hook prerouting priority filter; policy accept;
> }
>
> chain input-local {
> type nat hook output priority filter; policy accept;
> }
>
> chain services {
> ip daddr @no-endpoint-svc-addrs tcp dport @no-endpoint-svc-ports reject with tcp reset
> ip daddr @no-endpoint-svc-addrs udp dport @no-endpoint-svc-ports reject with icmp type net-unreachable
> }
> }
>
> Thank you
> Serguei
>
Hi Serguei,
The reason it files is, from *man nft*:
> This statement [reject] is only valid in the input, forward and output chains,
> and user-defined chains which are only called from those chains.
(I inserted the bit in square brackets).
The wording could perhaps be clarified: what it really means to say is
Reject is only only valid in base chains using the input, forward or output
hooks, and user-defined chains which are only called from those chains.
Put that way, you can see why your command is rejected.
Cheers ... Duncan.
