bugzilla-daemon at netfilter.org
2018-Oct-04 06:43 UTC
[Bug 1281] New: Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.
https://bugzilla.netfilter.org/show_bug.cgi?id=1281 Bug ID: 1281 Summary: Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200. Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: critical Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: seungheon_jang at tmax.co.kr Hi. I'm using OS 'Ubuntu 18.04'. The kernel version is '4.18.10'. And nft version is 'nftables v0.9.0 (Fearless Fosdick)' I installed these packages. libjansson4_2.11-1_amd64.deb libnftnl7_1.1.1-1_amd64.deb libnftables0_0..9.0-1_amd64.deb nftables_0.9.0-1_amd64.deb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I want to use nft -f command for enrolling rule. This is my rule. -------------------------------------------------------------------- table ip testbed_nat { chain preroutingnat_200 { type nat hook prerouting priority -300; policy accept; } chain postroutingnat_200 { type nat hook postrouting priority -300; policy accept; } } -------------------------------------------------------------------- But, the result of nft -f command is this. ~# nft -f rule rule:4:15-31: Error: Could not process rule: Operation not supported chain preroutingnat_200 { ^^^^^^^^^^^^^^^^^ rule:10:15-32: Error: Could not process rule: Operation not supported chain postroutingnat_200 { ^^^^^^^^^^^^^^^^^^ I changed priority value -300 -> -199, it worked. But i changed value over -200, it didn't work. And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked. I want to use nft in kernel that version is 4.18.10 Please look into this issue. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181004/d680c5f5/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 10:31 UTC
[Bug 1281] Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.
https://bugzilla.netfilter.org/show_bug.cgi?id=1281 Phil Sutter <phil at nwl.cc> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |phil at nwl.cc Resolution|--- |INVALID --- Comment #1 from Phil Sutter <phil at nwl.cc> --- Hi, (In reply to seungheon from comment #0) [...]> I want to use nft -f command for enrolling rule. > This is my rule. > -------------------------------------------------------------------- > table ip testbed_nat { > chain preroutingnat_200 { > type nat hook prerouting priority -300; policy accept; > } > chain postroutingnat_200 { > type nat hook postrouting priority -300; policy accept; > } > } > -------------------------------------------------------------------- > > But, the result of nft -f command is this. > ~# nft -f rule > rule:4:15-31: Error: Could not process rule: Operation not supported > chain preroutingnat_200 { > ^^^^^^^^^^^^^^^^^ > rule:10:15-32: Error: Could not process rule: Operation not supported > chain postroutingnat_200 { > ^^^^^^^^^^^^^^^^^^ > > I changed priority value -300 -> -199, it worked. But i changed value over > -200, it didn't work. > And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked.Starting with Linux kernel version 4.16, nftables rejects nat chains hooking before conntrack as that would not work. Related commit is: commit 84ba7dd71add05b52e55c60b4a3af9bb6194c73d Author: Florian Westphal <fw at strlen.de> Date: Fri Dec 8 17:01:55 2017 +0100 netfilter: nf_tables: reject nat hook registration if prio is before conntrack No problem for iptables as priorities are fixed values defined in the nat modules, but in nftables the priority its coming from userspace. Reject in case we see that such a hook would not work. Signed-off-by: Florian Westphal <fw at strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org> So in summary, you can't use a priority value lower than or equal to -200 for nat type chains. I'll take a note to reject this in userspace though (and provide a descriptive error message, not just EOPNOTSUPP). Thanks, Phil -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/316ffc73/attachment-0001.html>
Apparently Analagous Threads
- [Bug 1254] New: nft commandline tool can't parse negative priority values.
- [Announce] Samba 4.18.10 Available for Download
- [Announce] Samba 4.18.10 Available for Download
- CESA-2014:1281 Moderate CentOS 7 kernel Security Update
- [Bug 1354] New: cat foo.nft | nft -f - produces syntax error not seen with nft -f foo.nft