Christian Schneider <christian@xxxxxxxx> wrote:
> Hello everyone,
> after upgrading my kernel to 4.16.4 (previous was 4.14.14) I'm not able
> to create pre/postrouting chains anymore.
> current state: $ nft list ruleset
> table inet filter {
> set ports {
> type inet_service
> elements = { ssh, http, https }
> }
>
> chain input {
> type filter hook input priority 0; policy accept;
> iifname "lo" accept
> iifname "br0" accept
> ct state established,related accept
> tcp dport @ports accept
> reject
> }
> }
>
> so, just some basic firewall. What I try:
> $ nft add table ip nat # OK
> $ nft add chain nat prerouting \{ type nat hook prerouting priority 0 \;\}
> Error: Could not process rule: Device or resource busy
> add chain nat prerouting { type nat hook prerouting priority 0 ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In case you have iptable_nat module loaded, unload it.
Currently only one nat hook is permitted at the same time per hook
point, the ebusy error is because there is already another perrouting
nat hook registered.
Yes, this is silly and needs to be fixed in the kernel.
Plan is to make 'nat hooks' internal 'lookup' functions, register
the real nat hook from the nat core and then get rid of this limitation.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
