bugzilla-daemon at netfilter.org
2017-Aug-22 17:29 UTC
[Bug 1173] New: Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 Bug ID: 1173 Summary: Documentation/error messages around NAT statements in "inet" tables incorrect Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at allycomm.com Observed behavior: ================= No matter what the documentation says, it appears that NAT statements can't be in an "inet" table. The error messages are unhelpful in deducing this. Expected behavior: ================= * NAT statements could be present in inet tables as it is already limited to IPv4/IPv6 packets, at least as I understand it. <http://www.netfilter.org/projects/nftables/manpage.html> "inet Internet (IPv4/IPv6) address family." ibid., under "NAT STATEMENTS" "The nat statements are only valid from nat chain types." (with no statement there that a nat chain can't be in an inet table) ibid., under "TABLES" "The inet address family is a dummy family which is used to create hybrid IPv4/IPv6 tables." ibid., under "CHAINS" (No indication that NAT chains cannot be contained within inet tables) <https://wiki.nftables.org/wiki-nftables/index.php/Why_nftables%3F> "Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic." * Error messages point to the likely cause of the problem, as well as how to resolve it (at least *where* in the file the problem occurred) Desired outcomes: ================ * Critical -- update documentation; user shouldn't have to "guess" as to the problem * Major -- provide "insightful" error messages * Enhancement -- allow NAT statements in inet tables To replicate: ============ Parses and loads with "table ip" =============================== #!/usr/sbin/nft -f flush ruleset table ip global { chain nat_in { type nat hook prerouting priority -100 continue } chain nat_out { type nat hook postrouting priority -100 continue } } Fails with "table inet" ====================== #!/usr/sbin/nft -f flush ruleset table inet global { chain nat_in { type nat hook prerouting priority -100 continue } chain nat_out { type nat hook postrouting priority -100 continue } } The error messages here are different, but equally useless $ sudo nft -f nftables.conf nftables.conf:3:1-14: Error: Could not process rule: No such file or directory flush ruleset ^^^^^^^^^^^^^^ nftables.conf:3:1-14: Error: Could not process rule: No such file or directory flush ruleset ^^^^^^^^^^^^^^ nftables.conf:3:1-14: Error: Could not process rule: No such file or directory flush ruleset ^^^^^^^^^^^^^^ nftables.conf:3:1-14: Error: Could not process rule: No such file or directory flush ruleset ^^^^^^^^^^^^^^ When NAT statements occur in a non-trivial rule set, the error messages are unhelpful as well: Adding simple NAT statements results in "meaningless" reference in error message: In file included from nftables.conf:114:5-45: ./blackhole_check_internal.nft:6:54-57: Error: NAT is only supported for IPv4/IPv6 nal_allowed_net { ^^^^ That's a non-sequetor, nowhere near any NAT-related statement. The NAT-related statements are in an "inet" table. The NAT-related statements are all "protected" with "ip version 4" now, and the problem still persists. (See further <http://www.spinics.net/lists/netfilter/msg57562.html>) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/7517aaa5/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-22 19:50 UTC
[Bug 1173] Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 --- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> --- ~/build/nftables$ git log -1 commit d74eed8c9649e9278b69f2cd0fd92f71e3e19cfb (HEAD -> master, tag: 2017-08-19, origin/master, origin/HEAD) Author: Varsha Rao <rvarsha016 at gmail.com> Date: Wed Aug 16 19:48:17 2017 +0530 ~/build/libmnl$ git log -1 commit fbe0f33b45abd585eb9f52cb56d751a750667dc6 (HEAD -> master, tag: 2017-08-19, origin/master, origin/HEAD) Author: Guillaume Nault <g.nault at alphalink.fr> Date: Wed Aug 3 12:52:34 2016 +0200 ~/build/libnftnl$ git log -1 commit d58998312375de0865091cfc5d00ddd271d9a44c (HEAD -> master, tag: 2017-08-19) Author: Eric Leblond <eric at regit.org> Date: Thu Jul 6 13:58:27 2017 +0100 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/9badd868/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 10:12 UTC
[Bug 1173] Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pablo at netfilter.org |fw at strlen.de -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/9b82fd01/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-16 16:31 UTC
[Bug 1173] Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Florian Westphal <fw at strlen.de> --- resolving this as new kernels support NAT chain type in the inet table as well. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190716/d2067bdc/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Nov-02 10:05 UTC
[Bug 1173] Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |c-d.hailfinger.devel.2006 at g | |mx.net --- Comment #3 from Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> --- The unhelpful "Could not process rule: No such file or directory" error messages are still there on nft 0.9.6 when run with kernel 4.19. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201102/3725c93b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Nov-02 10:08 UTC
[Bug 1173] Documentation/error messages around NAT statements in "inet" tables incorrect
https://bugzilla.netfilter.org/show_bug.cgi?id=1173 --- Comment #4 from Florian Westphal <fw at strlen.de> --- (In reply to Carl-Daniel Hailfinger from comment #3)> The unhelpful "Could not process rule: No such file or directory" error > messages are still there on nft 0.9.6 when run with kernel 4.19.Inet family nat needs kernel v5.2 or newer. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201102/1cbdb459/attachment.html>
Apparently Analagous Threads
- [Bug 1188] New: nft fails to parse own output; unable to save-restore active state
- [Bug 1171] New: define statement does not accept negative numbers
- [Bug 1172] New: chain priority cannot be set by a defined variable
- [Bug 1176] New: Invalid identifiers produce unhelpful error messages
- [Bug 1365] New: nft crashes in chain_print_declaration()