Am 26.04.2018 um 13:03 schrieb Florian Westphal:
> Christian Schneider <christian@xxxxxxxx> wrote:
>> Hello everyone,
>> after upgrading my kernel to 4.16.4 (previous was 4.14.14) I'm not able
>> to create pre/postrouting chains anymore.
>> current state: $ nft list ruleset
>> table inet filter {
>> set ports {
>> type inet_service
>> elements = { ssh, http, https }
>> }
>>
>> chain input {
>> type filter hook input priority 0; policy accept;
>> iifname "lo" accept
>> iifname "br0" accept
>> ct state established,related accept
>> tcp dport @ports accept
>> reject
>> }
>> }
>>
>> so, just some basic firewall. What I try:
>> $ nft add table ip nat # OK
>> $ nft add chain nat prerouting \{ type nat hook prerouting priority 0 \;\}
>> Error: Could not process rule: Device or resource busy
>> add chain nat prerouting { type nat hook prerouting priority 0 ; }
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> In case you have iptable_nat module loaded, unload it.
>
> Currently only one nat hook is permitted at the same time per hook
> point, the ebusy error is because there is already another perrouting
> nat hook registered.
>
> Yes, this is silly and needs to be fixed in the kernel.
>
> Plan is to make 'nat hooks' internal 'lookup' functions, register
> the real nat hook from the nat core and then get rid of this limitation.
>
Thx, that fixed it.
linux-4.14.14 had it enabled (built in), too, but didn't mind. There
must have been a change somewhere in between.
BR, Christian
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
