On Tue, Aug 22, 2017 at 09:55:10AM -0700, Jeff Kletsky wrote:
> Digging into the cause (and, for now ignoring the unhelpful error message),
> this appears to be a bug in nft
>
> No matter what the documentation says, it appears that NAT statements can't
> be in an "inet" table
>
> Parses and loads with "table ip"
> ================================
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> table ip global {
>
> chain nat_in {
> type nat hook prerouting priority -100
> continue
> }
>
> chain nat_out {
> type nat hook postrouting priority -100
> continue
> }
>
> }
>
>
> Fails with "table inet"
> =======================
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> table inet global {
>
> chain nat_in {
> type nat hook prerouting priority -100
> continue
> }
>
> chain nat_out {
> type nat hook postrouting priority -100
> continue
> }
>
> }
>
>
> The error messages here are different, but equally useless
>
> $ sudo nft -f nftables.conf
> nftables.conf:3:1-14: Error: Could not process rule: No such file or
> directory
> flush ruleset
> ^^^^^^^^^^^^^^
> nftables.conf:3:1-14: Error: Could not process rule: No such file or
> directory
> flush ruleset
> ^^^^^^^^^^^^^^
> nftables.conf:3:1-14: Error: Could not process rule: No such file or
> directory
> flush ruleset
> ^^^^^^^^^^^^^^
> nftables.conf:3:1-14: Error: Could not process rule: No such file or
> directory
> flush ruleset
> ^^^^^^^^^^^^^^
This is working since:
commit 509671dfa03365bba727b8be5e522b737da93a6f
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Thu Jun 15 14:35:33 2017 +0200
src: error reporting for nested ruleset representation
Would you give a try to nft.git snapshot to confirm this?
This will be included in the next release.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
