<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span> changed
<a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1281">bug 1281</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>NEW
</td>
<td>RESOLVED
</td>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>phil@nwl.cc
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>---
</td>
<td>INVALID
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1281#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1281">bug 1281</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>Hi,
(In reply to seungheon from <a href="show_bug.cgi?id=1281#c0">comment #0</a>)
[...]
<span class="quote">> I want to use nft -f command for enrolling rule.
> This is my rule.
> --------------------------------------------------------------------
> table ip testbed_nat {
> chain preroutingnat_200 {
> type nat hook prerouting priority -300; policy accept;
> }
> chain postroutingnat_200 {
> type nat hook postrouting priority -300; policy accept;
> }
> }
> --------------------------------------------------------------------
>
> But, the result of nft -f command is this.
> ~# nft -f rule
> rule:4:15-31: Error: Could not process rule: Operation not supported
> chain preroutingnat_200 {
> ^^^^^^^^^^^^^^^^^
> rule:10:15-32: Error: Could not process rule: Operation not supported
> chain postroutingnat_200 {
> ^^^^^^^^^^^^^^^^^^
>
> I changed priority value -300 -> -199, it worked. But i changed value over
> -200, it didn't work.
> And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked.</span >
Starting with Linux kernel version 4.16, nftables rejects nat chains hooking
before conntrack as that would not work. Related commit is:
commit 84ba7dd71add05b52e55c60b4a3af9bb6194c73d
Author: Florian Westphal <<a href="mailto:fw@strlen.de">fw@strlen.de</a>>
Date: Fri Dec 8 17:01:55 2017 +0100
netfilter: nf_tables: reject nat hook registration if prio is before
conntrack
No problem for iptables as priorities are fixed values defined in the
nat modules, but in nftables the priority its coming from userspace.
Reject in case we see that such a hook would not work.
Signed-off-by: Florian Westphal <<a href="mailto:fw@strlen.de">fw@strlen.de</a>>
Signed-off-by: Pablo Neira Ayuso <<a href="mailto:pablo@netfilter.org">pablo@netfilter.org</a>>
So in summary, you can't use a priority value lower than or equal to -200 for
nat type chains.
I'll take a note to reject this in userspace though (and provide a descriptive
error message, not just EOPNOTSUPP).
Thanks, Phil</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>