netfilter buglog - Jul 2023 - [Bug 1694] New: can't use "priority dstnat" in "hook output" (or srcnat in input)

https://bugzilla.netfilter.org/show_bug.cgi?id=1694

            Bug ID: 1694
           Summary: can't use "priority dstnat" in "hook
output" (or
                    srcnat in input)
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: danw at redhat.com
                CC: fw at strlen.de

The "dnat" command is usable from either "prerouting" or
"output", but the
"dstnat" priority is only usable from "prerouting".
(Likewise, "snat" is usable
from either "postrouting" or "input", but "srcnat"
is only usable from
"postrouting".)

Maybe the priorities matter in the prerouting and postrouting chains, but not
in input and output? But if so, nothing in the man page or wiki explains that.

Also, the sample files (eg
http://git.netfilter.org/nftables/tree/files/nftables/ipv4-nat.nft?h=v1.0.8)
use "type nat hook output priority -100" and "type nat hook input
priority
100", implying that those hooks *are* supposed to use those priorities...

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230728/b8c62090/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1694

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
nft is just too strict here, I've sent a patch to relax this. Flagging this
as
resolved, I'll push the patch in the next few days.

http://patchwork.ozlabs.org/project/netfilter-devel/patch/20230728174320.127518-1-fw
at strlen.de/

You can work around this by using the raw numbers instead of the mnemonics,
i.e.
-100 for dst and 100 for src.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230728/e2ab4363/attachment.html>