From: Pablo Neira Ayuso <pablo@netfilter.org>
To: leroy christophe <christophe.leroy@c-s.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: issue with nftable - goto : Operation not supported
Date: Wed, 26 Nov 2014 18:47:21 +0100 [thread overview]
Message-ID: <20141126174721.GA3815@salvia> (raw)
In-Reply-To: <54760ABA.4040900@c-s.fr>
On Wed, Nov 26, 2014 at 06:15:38PM +0100, leroy christophe wrote:
>
> Le 26/11/2014 14:00, Pablo Neira Ayuso a écrit :
> >On Tue, Nov 25, 2014 at 06:29:53PM +0100, leroy christophe wrote:
> >>Using nft, i'm trying to jump to another table from the end of a
> >>table and I get the following error.
> >>
> >>root@localhost:~# nft add rule filter input goto accs
> >><cmdline>:1:1-31: Error: Could not process rule: Operation not supported
> >>add rule filter input goto accs
> >>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>
> >>What could be the reason ?
> >>
> >>I'm using
> >>* nftables-20141121
> >>* gmp-4.3.2
> >>* libmnl-1.0.3
> >>* libnfnetlink-1.0.1
> >>* libnftnl-20141121
> >>* libnetfilter_conntrack-1.0.4
> >Kernel version?
> 3.17.4
> >
> >Could you run this command with strace:
> >
> >strace nft add rule ...
> See at the end
> >
> >Could you post the relevant part of your ruleset (table and chain
> >configuration)?
> root@vgoip:~# nft list table filter
> table ip filter {
> chain forward {
> type filter hook forward priority 0;
> drop
> }
> }
>
> root@vgoip:~# ./mynft.sh start
Use 'nft -f file' to load your ruleset instead of scripts. Otherwise
the rule-set is not loaded atomically, and it will also take longer to
load your ruleset.
Please, help spread the word, people should use nft -f.
> + echo Starting NFTABLES test ...
> Starting NFTABLES test ...
> + Start
> + nft add chain ip filter rej { type filter hook input priority 20 ; }
> + nft add rule filter rej ip saddr 192.168.2.0/24 reject with icmp
> type host-prohibited
> + nft add rule filter rej drop
> + nft add chain ip filter test { type filter hook input priority 10 ; }
> + nft add rule filter test meta oifname lo accept
> + nft add rule filter test icmp type echo-request ip saddr
> 192.168.2.1 accept
> + nft add rule filter test icmp type
> {echo-request,timestamp-request} goto rej
> <cmdline>:1:1-72: Error: Could not process rule: Operation not supported
> add rule filter test icmp type {echo-request,timestamp-request} goto rej
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You cannot 'goto' a base chain, note that 'rej' is a base chain.
+ nft add chain ip filter rej { type filter hook input priority 20 ; }
I guess your intention was to define this as a non-base chain, ie.
nft add chain ip filter rej
Note that non-base chain don't see any traffic unless there is a rule
that jumpto/goto it.
next prev parent reply other threads:[~2014-11-26 17:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 17:29 issue with nftable - goto : Operation not supported leroy christophe
2014-11-26 13:00 ` Pablo Neira Ayuso
2014-11-26 17:15 ` leroy christophe
2014-11-26 17:47 ` Pablo Neira Ayuso [this message]
2014-11-26 18:00 ` leroy christophe
2014-11-26 18:13 ` Pablo Neira Ayuso
2014-11-26 21:45 ` stoffl4ever
2014-11-27 10:25 ` Arturo Borrero Gonzalez
2014-11-27 12:31 ` leroy christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141126174721.GA3815@salvia \
--to=pablo@netfilter.org \
--cc=christophe.leroy@c-s.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.