Dominique MARTINET wrote on Wed, Jul 27, 2022 at 05:03:32PM +0900:
> I've boiled down the reproducer to this:
>
> ---
> nft add table ip test
> nft chain ip test test '{ type nat hook prerouting priority -100; policy accept; }'
> nft add rule ip test test log prefix "test-pre-" counter packets 0 bytes 0
>
> # at this point do some network activity;
> # since there is no match specified new connections should trigger
> # the log and increment counters for the rule
> nft list table test
>
> # (and cleanup)
> nft delete table test
> ---
Florian Westphal replied off list (thanks!)
After a couple of mails the problem just boils down to conntrack not
being loaded by a log rule.
Adding a ct state rule in filter or any masquerade/redirect/snat/dnat in
here enables it and everything works well.
I was just double-confused because my initial test machine, which had
dnat rules was down to the other problem of older kernels:
> (I've also seen on the internet that for older kernels iptable_nat is
> incompatible with nft nat chains and tried taking it out, but that
> shouldn't be relevant anymore)
So all is cleared up now,
thanks!
--
Dominique
