Le 03/12/2014 12:00, Pablo Neira Ayuso a écrit : > On Wed, Dec 03, 2014 at 08:30:52AM +0100, Jean-Philippe Menil wrote: >> Le 02/12/2014 23:15, Eric Leblond a écrit : >>> Hi, >>> >>> On Tue, 2014-12-02 at 23:09 +0100, Jean-Philippe Menil wrote: >>>> Hi, >>>> >>>> while playing with nftables, i observe that my iptables masquerading do not >>>> work anymore: >>>> >>>> modprobe nft_nat >>>> modprobe nft_chain_nat_ipv4 >>>> nft add table nat >>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; } > > BTW, you will also have to add the prerouting nat chain so the NAT > engine can undo NAT for reply traffic, see: > > http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29 Yes, i just forget to pas in the mail :) > >>>> ^^ iptables nat stoped work here. >>>> >>>> I'm sure i read that nftables and iptables where compatible. >>>> >>>> Can anyone point me what am i missing ? >>>> >>>> (I'm on 3.17.4) >>> >>> Sadly, masquerade is requiring 3.18. Only standard NAT is implemented in >>> 3.17.x. >>> >>> BR, >>> >> Hi Eric, >> >> thanks for your response. >> >> I've see on the wiki that masquerading require a 3.18 kernel. >> >> But why juste adding the type nat hook with nftables, broke the iptables >> masquerading? > > Because the NAT engine attaches the nul-nat-binding (ie. this > conntrack has no nat at all) when the packet leaves the chain without > matching any rule. > > If you run iptables and nf_tables for NAT at the same time, the first > chain will configure NAT for the conntrack, the second will just skip > the packet since NAT has been already set up. Ok, now i understand better. Many thanks ! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html