[Bug 1694] New: can't use "priority dstnat" in "hook output" (or srcnat in input)

Fri Jul 28 19:03:42 CEST 2023

https://bugzilla.netfilter.org/show_bug.cgi?id=1694

            Bug ID: 1694
           Summary: can't use "priority dstnat" in "hook output" (or
                    srcnat in input)
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: danw at redhat.com
                CC: fw at strlen.de

The "dnat" command is usable from either "prerouting" or "output", but the
"dstnat" priority is only usable from "prerouting". (Likewise, "snat" is usable
from either "postrouting" or "input", but "srcnat" is only usable from
"postrouting".)

Maybe the priorities matter in the prerouting and postrouting chains, but not
in input and output? But if so, nothing in the man page or wiki explains that.

Also, the sample files (eg
http://git.netfilter.org/nftables/tree/files/nftables/ipv4-nat.nft?h=v1.0.8)
use "type nat hook output priority -100" and "type nat hook input priority
100", implying that those hooks *are* supposed to use those priorities...

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230728/b8c62090/attachment.html>