On 03/11/15 12:08, Pablo Neira Ayuso wrote:
On Mon, Nov 02, 2015 at 11:27:29PM +0000, Steve Horsley wrote:
Sorry for the delay in answering.
I installed the development version of Ubuntu 16.10 with proposed updates.
With this version, nft -v reports version 0.5. My original set of commands
now works without crashing, so thanks for the advice to try version 0.5.
However, this set of commands still fails:
# nft flush ruleset
# nft add table nat
# nft add chain nat output { type nat hook output priority 0 \; }
# nft add map nat outnat {type ipv4_addr : ipv4_addr\; }
# nft add element nat outnat { 172.16.1.1 : 8.8.8.8 , 172.16.1.2 : 8.8.4.4 }
# nft add rule ip nat output dnat ip daddr map @outnat
<cmdline>:1:1-48: Error: Could not process rule: Invalid argument
add rule ip nat output dnat ip daddr map @outnat
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It looks as though I have a syntax error in the command, but I can't find a
good example to use as a template. Do I have the syntax wrong, or is using a
separate set like this not possible?
This is working here. What kernel version are you using?
This problem is resolved in 4.2.4 and it should be in 4.1.12 too.
It appears to be version 4.2.0:
steve@steve-desktop:~$ uname -a
Linux steve-desktop 4.2.0-17-generic #21-Ubuntu SMP Fri Oct 23 19:56:16
UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
steve@steve-desktop:~$
So I guess I have to wait until Ubuntu catches up with current releases,
hopefully in time for their next release in April. Or I may try Debian
Sid, which I think is on kernel 4.2.5 at the moment. I don't think we
will be using Sid in production, but it should be good for testing.
Thank you again for looking at this. I think my questions are fully
answered now.
Steve.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
