On Wed, Sep 11, 2019 at 05:41:37PM +0200, Matt wrote:
> Dear all,
> since i've updated to Debian Buster i've noticed a significant increase when
> applying
> around 1000 iptables rules on my corporate fw. Guess its time to change to
> nft ...
>
> I used the iptables-restore-translate tool and run the result using nft with
> the -f option
> which works with no errors.
>
> However, i'd like to use nft on the shell and there are a few commands which
> do not apply
> Does anybody know why?
>
> Again, those command templates are the result of iptables-restore-translate
> .
>
> # nft add table ip nat
> # nft add chain ip nat PREROUTING { type nat hook prerouting priority -100\;
> policy accept\; }
> nft: invalid option -- '1'
>
> # nft add chain ip nat OUTPUT { type nat hook output priority -100\; policy
> accept\; }
> nft: invalid option -- '1'
>
> # nft add table ip raw
> # nft add chain ip raw PREROUTING { type filter hook prerouting priority
> -300\; policy accept\; }
> # nft: invalid option -- '3'
>
> # nft add chain ip raw OUTPUT { type filter hook output priority -300\;
> policy accept\; }
> nft: invalid option -- '3'
>
> Any help would be great, thx Matt
The bison parser in interpreting the '-' as an option. Use quotes.
e.g.
# nft add chain ip nat PREROUTING '{ type nat hook prerouting priority -100 ; policy accept ; }'
