Why inet table doesn't support nat prerouting chain?

Why inet table doesn't support nat prerouting chain?

[Glen Huang]

Hi,

It seems I can create a nat prerouting chain in either ip or ip6 table, but not inet, I wonder if that’s by design?

$ nft list ruleset
<empty output>
$ nft create table inet tbl
<empty output>
$ nft add chain inet tbl prerouting \{ type nat hook prerouting priority dstnat \; \}
Error: Could not process rule: No such file or directory
add chain inet tbl prerouting { type nat hook prerouting priority dstnat ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
$ nft list ruleset
table inet tbl {
}

If I replace inet with ip or ip6 then the previous commands work.

I tried them in docker with manually compiled nft 0.9.3, and also in debian 10.3 which has nft 0.9.0 (it doesn’t recognize dstnat, but replacing it with 0 results in the same error).

Do I have to create such chains separately for ip and ip6 tables?

Regards

Re: Why inet table doesn't support nat prerouting chain?

[Florian Westphal]

Glen Huang <heyhgl@gmail.com> wrote:
> Hi,
> 
> It seems I can create a nat prerouting chain in either ip or ip6 table, but not inet, I wonder if that’s by design?

Kernel too old? Should work as of 5.2.

Re: Why inet table doesn't support nat prerouting chain?

[Glen Huang]

Oh, that explains it. Debian 10.3 comes with 4.19.

Thanks, guess I have to create them separately for now.

> On Mar 6, 2020, at 7:37 PM, Florian Westphal <fw@strlen.de> wrote:
> 
> Glen Huang <heyhgl@gmail.com> wrote:
>> Hi,
>> 
>> It seems I can create a nat prerouting chain in either ip or ip6 table, but not inet, I wonder if that’s by design?
> 
> Kernel too old? Should work as of 5.2.