netfilter buglog - Oct 2018 - [Bug 1281] New: Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.

https://bugzilla.netfilter.org/show_bug.cgi?id=1281

            Bug ID: 1281
           Summary: Using kernel 4.18.10, nft commandline tool or nft -f
                    can't parse negative priority values over -200.
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: critical
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: seungheon_jang at tmax.co.kr

Hi. I'm using OS 'Ubuntu 18.04'. The kernel version is
'4.18.10'.
And nft version is 'nftables v0.9.0 (Fearless Fosdick)'
I installed these packages.
libjansson4_2.11-1_amd64.deb
libnftnl7_1.1.1-1_amd64.deb
libnftables0_0..9.0-1_amd64.deb
nftables_0.9.0-1_amd64.deb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want to use nft -f command for enrolling rule.
This is my rule.
--------------------------------------------------------------------
table ip testbed_nat {
    chain preroutingnat_200 {
        type nat hook prerouting priority -300; policy accept;
    }
    chain postroutingnat_200 {
        type nat hook postrouting priority -300; policy accept;
    }
}
--------------------------------------------------------------------

But, the result of nft -f command is this.
~# nft -f rule
rule:4:15-31: Error: Could not process rule: Operation not supported
        chain preroutingnat_200 {
              ^^^^^^^^^^^^^^^^^
rule:10:15-32: Error: Could not process rule: Operation not supported
        chain postroutingnat_200 {
              ^^^^^^^^^^^^^^^^^^

I changed priority value -300 -> -199, it worked. But i changed value over
-200, it didn't work.
And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked.

I want to use nft in kernel that version is 4.18.10 

Please look into this issue.
Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181004/d680c5f5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1281

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |phil at nwl.cc
         Resolution|---                         |INVALID

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to seungheon from comment #0)
[...]
> I want to use nft -f command for enrolling rule.
> This is my rule.
> --------------------------------------------------------------------
> table ip testbed_nat {
>     chain preroutingnat_200 {
>         type nat hook prerouting priority -300; policy accept;
>     }
>     chain postroutingnat_200 {
>         type nat hook postrouting priority -300; policy accept;
>     }
> }
> --------------------------------------------------------------------
> 
> But, the result of nft -f command is this.
> ~# nft -f rule
> rule:4:15-31: Error: Could not process rule: Operation not supported
>         chain preroutingnat_200 {
>               ^^^^^^^^^^^^^^^^^
> rule:10:15-32: Error: Could not process rule: Operation not supported
>         chain postroutingnat_200 {
>               ^^^^^^^^^^^^^^^^^^
> 
> I changed priority value -300 -> -199, it worked. But i changed value
over
> -200, it didn't work.
> And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked.
Starting with Linux kernel version 4.16, nftables rejects nat chains hooking
before conntrack as that would not work. Related commit is:

commit 84ba7dd71add05b52e55c60b4a3af9bb6194c73d
Author: Florian Westphal <fw at strlen.de>
Date:   Fri Dec 8 17:01:55 2017 +0100

    netfilter: nf_tables: reject nat hook registration if prio is before
conntrack

    No problem for iptables as priorities are fixed values defined in the
    nat modules, but in nftables the priority its coming from userspace.

    Reject in case we see that such a hook would not work.

    Signed-off-by: Florian Westphal <fw at strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

So in summary, you can't use a priority value lower than or equal to -200
for
nat type chains.

I'll take a note to reject this in userspace though (and provide a
descriptive
error message, not just EOPNOTSUPP).

Thanks, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/316ffc73/attachment-0001.html>