>> nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4 > > Strange, this version does work for me. > > table inet cni-kindnet { > map hostport-map-v4 { > type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service > flags interval > } > > chain prerouting { > type nat hook prerouting priority dstnat; policy accept; > dnat ip to ip daddr . ip protocol . th dport map @hostport-map-v4 > } > } Yeah, it works for me too, it seems the difference is the "ip" statement after the "dnat" ... "dnat ip to ip daddr ..." Without that "ip" I can see with strace that it gets " -1 EAGAIN (Resource temporarily unavailable) Thanks for the help