Sean Darcy <seandarcy2@xxxxxxxxx> wrote: > /* QUOTE > Subject: NAT requires an output hook to be registered > From: Konstantinos Tsakiltzidis <ktsakiltzidis () modulus ! gr> > Date: 2018-04-05 13:01:43 > Message-ID: 068b1ba5-1483-c3af-2858-a78a5989d0d3 () modulus ! gr > [Download message RAW] > > the docs > https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT) > forget to mention that it also needs an output chain hook in order for > NAT to work, without it, even if someone has set both postrouting and > prerouting, doing a masquare at postrouting will make loopback stop working > /*UNQUOTE > > So this does not work: > > table ip nat1 { > chain prerouting1 { > type nat hook prerouting priority 0; policy accept; > } > chain postrouting1 { > type nat hook postrouting priority 100; policy accept; > oifname external masquerade > } > } Right. > > You need to add > > chain output1 { type nat hook output priority 0; policy accept } Yes, unfortunate limitation, it will go away soon though and things will work without it too. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
