On Tuesday, December 12th, 2023 at 05:25, ye4 yu3 <ye4yu3@xxxxxxxxxxx> wrote: > I have a question regarding the egress hook of nftables, I want to make modify ip packet source or destination port on egress hook, I use this rule in egress chain (tcp dport 80 tcp dport set 8080) it successfully loaded,but it didn't have any effect. if i only > > modify ip packet source or destination address will have effect (ip daddr 10.0.0.1 ip daddr set 10.0.0.2),i use set port rule on any other hook and it works include ingress,I don't know why the egress hook is ineffective,perhaps there is some way to solve this problem? Hello Ye Yu, First, do you have kernel 5.16+? That is needed to get the egress hook functionality (I assume "yes", since you are not getting an error when you add your rule). Next, how are you verifying that it doesn't work? Are you running tcpdump (or equivalent) and watching the packets come out of the specified interface without the port translation? Finally, I have not seen the egress hook used to do port translations, typically that is done in the inet/ip tables using the prerouting/postrouting hooks with NAT rules. Are you trying to do something that specifically requires the use of the egress hook? https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Hooks_by_family_and_chain_type Eric
