On Fri, Feb 02, 2024 at 01:38:46AM +0000, Eric wrote:
> On Wednesday, January 31st, 2024 at 14:36, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> > On Wed, Jan 31, 2024 at 08:23:54PM +0000, Slavko wrote:
> >
> > > Dňa 31. januára 2024 13:02:57 UTC používateľ Kerin Millar kfm@xxxxxxxxxxxxx napísal:
> >
> > [...]
> >
> > > I check manpage now, 1.0.6 (as is in debian bookworm) and from its
> > > ADDRESS FAMILY section is nor clean (at least for me) the order of
> > > inet and ip/ip6 tables processing. It is even not clearly stated here,
> > > that packet will be processed in both, the inet and the ip/ip6.
> >
> >
> > There is a command to display the datapath hook pipeline per device:
> >
> > # nft list hooks device eth0
> > family ip {
> > hook ingress {
> > 0000000000 chain netdev x y [nf_tables]
> > }
>
> Pablo,
>
> Is there a minimum kernel version required to get these to work? I've
> tried it on 5.15 and 6.1, both of which just spin for a second and
> produce nothing.
Works fine with -stable 5.15 and 6.1 here.
Does your kernel turn on this?
CONFIG_NETFILTER_NETLINK_HOOK=m
> I also tried a bunch of other 'list' commands and got 'list ct expectation'
> to seg fault on 5.15, but it's fine on 6.1.
I have just tested on 5.15 and 6.1 and this works fine.
Userspace nft version and reproducer?
> (And all of these other 'list <state>' commands produce nothing on my machines.)
If you did not define such objects in your ruleset, then it is normal
that this produces nothing.
