netfilter buglog - Aug 2017 - [Bug 1173] New: Documentation/error messages around NAT statements in "inet" tables incorrect

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

            Bug ID: 1173
           Summary: Documentation/error messages around NAT statements in
                    "inet" tables incorrect
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at allycomm.com

Observed behavior:
=================
No matter what the documentation says, it appears that NAT statements can't
be
in an "inet" table.  The error messages are unhelpful in deducing
this.


Expected behavior:
=================
* NAT statements could be present in inet tables as it is already limited to
IPv4/IPv6 packets, at least as I understand it.

<http://www.netfilter.org/projects/nftables/manpage.html>
"inet
     Internet (IPv4/IPv6) address family."

ibid., under "NAT STATEMENTS" 
"The nat statements are only valid from nat chain types."
(with no statement there that a nat chain can't be in an inet table)

ibid., under "TABLES"
"The inet address family is a dummy family which is used to create hybrid
IPv4/IPv6 tables."

ibid., under "CHAINS"
(No indication that NAT chains cannot be contained within inet tables)

<https://wiki.nftables.org/wiki-nftables/index.php/Why_nftables%3F>
"Simplified dual stack IPv4/IPv6 administration, through the new inet
family
that allows you to register base chains that see both IPv4 and IPv6
traffic."


* Error messages point to the likely cause of the problem, as well as how to
resolve it (at least *where* in the file the problem occurred)


Desired outcomes:
================
* Critical -- update documentation; user shouldn't have to "guess"
as to the
problem
* Major -- provide "insightful" error messages
* Enhancement -- allow NAT statements in inet tables




To replicate:
============

Parses and loads with "table ip"
===============================
#!/usr/sbin/nft -f

flush ruleset

table ip global {

    chain nat_in {
        type nat hook prerouting priority -100
    continue
    }

    chain nat_out {
        type nat hook postrouting priority -100
    continue
    }

}


Fails with "table inet"
======================
#!/usr/sbin/nft -f

flush ruleset

table inet global {

    chain nat_in {
        type nat hook prerouting priority -100
    continue
    }

    chain nat_out {
        type nat hook postrouting priority -100
    continue
    }

}


The error messages here are different, but equally useless

$ sudo nft -f nftables.conf
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^


When NAT statements occur in a non-trivial rule set, the error messages are
unhelpful as well:

Adding simple NAT statements results in "meaningless" reference in
error
message:

    In file included from nftables.conf:114:5-45:
    ./blackhole_check_internal.nft:6:54-57: Error: NAT is only supported for
IPv4/IPv6
    nal_allowed_net {
                                                         ^^^^

That's a non-sequetor, nowhere near any NAT-related statement.

The NAT-related statements are in an "inet" table.

The NAT-related statements are all "protected" with "ip version
4" now,
and the problem still persists.


(See further <http://www.spinics.net/lists/netfilter/msg57562.html>)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/7517aaa5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
~/build/nftables$ git log -1
commit d74eed8c9649e9278b69f2cd0fd92f71e3e19cfb (HEAD -> master, tag:
2017-08-19, origin/master, origin/HEAD)
Author: Varsha Rao <rvarsha016 at gmail.com>
Date:   Wed Aug 16 19:48:17 2017 +0530

~/build/libmnl$ git log -1
commit fbe0f33b45abd585eb9f52cb56d751a750667dc6 (HEAD -> master, tag:
2017-08-19, origin/master, origin/HEAD)
Author: Guillaume Nault <g.nault at alphalink.fr>
Date:   Wed Aug 3 12:52:34 2016 +0200

~/build/libnftnl$ git log -1
commit d58998312375de0865091cfc5d00ddd271d9a44c (HEAD -> master, tag:
2017-08-19)
Author: Eric Leblond <eric at regit.org>
Date:   Thu Jul 6 13:58:27 2017 +0100

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/9badd868/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|pablo at netfilter.org         |fw at strlen.de

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/9b82fd01/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Florian Westphal <fw at strlen.de> ---
resolving this as new kernels support NAT chain type in the inet table as well.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190716/d2067bdc/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |c-d.hailfinger.devel.2006 at g
                   |                            |mx.net

--- Comment #3 from Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at
gmx.net> ---
The unhelpful "Could not process rule: No such file or directory"
error
messages are still there on nft 0.9.6 when run with kernel 4.19.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201102/3725c93b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1173

--- Comment #4 from Florian Westphal <fw at strlen.de> ---
(In reply to Carl-Daniel Hailfinger from comment #3)
> The unhelpful "Could not process rule: No such file or directory"
error
> messages are still there on nft 0.9.6 when run with kernel 4.19.
Inet family nat needs kernel v5.2 or newer.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201102/1cbdb459/attachment.html>