On Thu, Apr 26, 2018 at 12:24:13PM +0200, Christian Schneider wrote:
> Hello everyone,
> after upgrading my kernel to 4.16.4 (previous was 4.14.14) I'm not able
> to create pre/postrouting chains anymore.
> current state: $ nft list ruleset
> table inet filter {
> set ports {
> type inet_service
> elements = { ssh, http, https }
> }
>
> chain input {
> type filter hook input priority 0; policy accept;
> iifname "lo" accept
> iifname "br0" accept
> ct state established,related accept
> tcp dport @ports accept
> reject
> }
> }
>
> so, just some basic firewall. What I try:
> $ nft add table ip nat # OK
> $ nft add chain nat prerouting \{ type nat hook prerouting priority 0 \;\}
> Error: Could not process rule: Device or resource busy
> add chain nat prerouting { type nat hook prerouting priority 0 ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rmmod iptables_nat
Florian is working to revisit this and allow interaction between
iptables and nftables NAT. By now, you have to disable iptable_nat
module.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
