First of all, thank you for your reply. Yes, I use kernel 6.1, So the rule can be successfully added without any errors, And set the source or destination address can be successfully executed. As you said, I used tcpdump to check the status of the ip packets,The rule to set the port cannot be successfully executed, And i see the ip packet appears to be damaged in the tcpdump (they no longer have source and destination ports). Finally,My some jobs require the use of egress hooks to modify address or port,Do not use prerouting/postrouting hooks because they must have state. On Tuesday, December 12th, 2023 at 05:25, ye4 yu3 <ye4yu3@xxxxxxxxxxx> wrote: > I have a question regarding the egress hook of nftables, I want to make modify ip packet source or destination port on egress hook, I use this rule in egress chain (tcp dport 80 tcp dport set 8080) it successfully loaded,but it didn't have any effect. if i only > > modify ip packet source or destination address will have effect (ip daddr 10.0.0.1 ip daddr set 10.0.0.2),i use set port rule on any other hook and it works include ingress,I don't know why the egress hook is ineffective,perhaps there is some way to solve this problem? Hello Ye Yu, First, do you have kernel 5.16+? That is needed to get the egress hook functionality (I assume "yes", since you are not getting an error when you add your rule). Next, how are you verifying that it doesn't work? Are you running tcpdump (or equivalent) and watching the packets come out of the specified interface without the port translation? Finally, I have not seen the egress hook used to do port translations, typically that is done in the inet/ip tables using the prerouting/postrouting hooks with NAT rules. Are you trying to do something that specifically requires the use of the egress hook? https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Hooks_by_family_and_chain_type Eric
