cannot create a nat type base (pre/post routing) chain

cannot create a nat type base (pre/post routing) chain

[Norbert van Bolhuis]

Hi All,

For some reason I cannot create a base (pre/post routing) chain in my nat table.
I'm doing:

# nft list ruleset
table ip nat {
}

# nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Error: Could not process rule: No such file or directory
add chain nat postrouting { type nat hook postrouting priority 100 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
Error: Could not process rule: No such file or directory
add chain nat prerouting { type nat hook prerouting priority 0 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


I'm using:

# nft -v
nftables v0.9.3 (Topsy)
# uname -a
Linux OpenWrt 5.4.34 #0 SMP Thu Apr 23 16:39:48 2020 aarch64 GNU/Linux


and I'm following:

https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)


I guess all required kernel modules are loaded, see:
# lsmod | grep nf_table
nf_tables             122880 22 
nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_fwd_netdev,nft_flow_offload,nft_dup_netdev,nft_ct,nft_counter,nf_tables_set
nf_tables_set          28672  0
nfnetlink              16384  1 nf_tables
# lsmod | grep nft_
nf_conntrack           86016  8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_rtcache
nf_dup_netdev          16384  2 nft_fwd_netdev,nft_dup_netdev
nf_flow_table          24576  5 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload,nf_flow_table_hw
nf_nat                 36864  3 nft_redir,nft_nat,nft_masq
nf_reject_ipv4         16384  2 nft_reject_ipv4,nft_reject_inet
nf_reject_ipv6         16384  2 nft_reject_ipv6,nft_reject_inet
nf_tables             122880 22 
nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_fwd_netdev,nft_flow_offload,nft_dup_netdev,nft_ct,nft_counter,nf_tables_set
nft_counter            16384  0
nft_ct                 20480  0
nft_dup_netdev         16384  0
nft_flow_offload       16384  0
nft_fwd_netdev         16384  0
nft_hash               16384  0
nft_limit              16384  0
nft_log                16384  0
nft_masq               16384  0
nft_nat                16384  0
nft_numgen             16384  0
nft_objref             16384  0
nft_quota              16384  0
nft_redir              16384  0
nft_reject             16384  3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
nft_reject_inet        16384  0
nft_reject_ipv4        16384  0
nft_reject_ipv6        16384  0

iptable_nat module isn't loaded:
# lsmod | grep ipt
#


Anybody know what is wrong? or how I can (easily) find out what is wrong?

Thanks.

---
Norbert

Re: cannot create a nat type base (pre/post routing) chain

[Norbert van Bolhuis]

Hmmm. when I builtin nf_tables in the kernel, it works, see:


root@OpenWrt:~# gzip -dc /proc/config.gz | grep NFT_
CONFIG_NFT_NUMGEN=y
CONFIG_NFT_CT=y
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NFT_COUNTER=y
CONFIG_NFT_CONNLIMIT=y
CONFIG_NFT_LOG=y
CONFIG_NFT_LIMIT=y
CONFIG_NFT_MASQ=y
CONFIG_NFT_REDIR=y
CONFIG_NFT_NAT=y
CONFIG_NFT_TUNNEL=y
CONFIG_NFT_OBJREF=y
CONFIG_NFT_QUOTA=y
CONFIG_NFT_REJECT=y
CONFIG_NFT_REJECT_INET=y
CONFIG_NFT_HASH=y
# CONFIG_NFT_SOCKET is not set
# CONFIG_NFT_OSF is not set
# CONFIG_NFT_TPROXY is not set
# CONFIG_NFT_SYNPROXY is not set
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_REJECT_IPV4=y
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
CONFIG_NFT_REJECT_IPV6=y
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NFT_BRIDGE_META is not set
# CONFIG_NFT_BRIDGE_REJECT is not set
root@OpenWrt:~# gzip -dc /proc/config.gz | grep NF_T
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_SET=y
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
# CONFIG_NF_TPROXY_IPV4 is not set
CONFIG_NF_TABLES_IPV4=y
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_TPROXY_IPV6 is not set
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=y
root@OpenWrt:~# lsmod | grep nf_table
root@OpenWrt:~# lsmod | grep nft_
nf_dup_netdev          16384  2 nft_fwd_netdev,nft_dup_netdev
nf_flow_table          24576  5 nft_flow_offload,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nf_flow_table_hw
nft_dup_netdev         16384  0
nft_flow_offload       16384  0
nft_fwd_netdev         16384  0
root@OpenWrt:~# lsmod | grep ipt
root@OpenWrt:~# uname -a
Linux OpenWrt 5.4.34 #0 SMP Thu Apr 23 16:39:48 2020 aarch64 GNU/Linux
root@OpenWrt:~# nft list ruleset
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain prerouting {
		type nat hook prerouting priority filter; policy accept;
	}
}
root@OpenWrt:~#


I guess it's some kind of openwrt nf_tables (module) build/incompatibility problem!?




On 2020-04-28 15:38, Norbert van Bolhuis wrote:
> Hi All,
> 
> For some reason I cannot create a base (pre/post routing) chain in my nat table.
> I'm doing:
> 
> # nft list ruleset
> table ip nat {
> }
> 
> # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
> Error: Could not process rule: No such file or directory
> add chain nat postrouting { type nat hook postrouting priority 100 ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> # nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> Error: Could not process rule: No such file or directory
> add chain nat prerouting { type nat hook prerouting priority 0 ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 
> I'm using:
> 
> # nft -v
> nftables v0.9.3 (Topsy)
> # uname -a
> Linux OpenWrt 5.4.34 #0 SMP Thu Apr 23 16:39:48 2020 aarch64 GNU/Linux
> 
> 
> and I'm following:
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
> 
> 
> I guess all required kernel modules are loaded, see:
> # lsmod | grep nf_table
> nf_tables             122880 22 
> nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_fwd_netdev,nft_flow_offload,nft_dup_netdev,nft_ct,nft_counter,nf_tables_set 
> 
> nf_tables_set          28672  0
> nfnetlink              16384  1 nf_tables
> # lsmod | grep nft_
> nf_conntrack           86016  8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_rtcache
> nf_dup_netdev          16384  2 nft_fwd_netdev,nft_dup_netdev
> nf_flow_table          24576  5 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload,nf_flow_table_hw
> nf_nat                 36864  3 nft_redir,nft_nat,nft_masq
> nf_reject_ipv4         16384  2 nft_reject_ipv4,nft_reject_inet
> nf_reject_ipv6         16384  2 nft_reject_ipv6,nft_reject_inet
> nf_tables             122880 22 
> nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_fwd_netdev,nft_flow_offload,nft_dup_netdev,nft_ct,nft_counter,nf_tables_set 
> 
> nft_counter            16384  0
> nft_ct                 20480  0
> nft_dup_netdev         16384  0
> nft_flow_offload       16384  0
> nft_fwd_netdev         16384  0
> nft_hash               16384  0
> nft_limit              16384  0
> nft_log                16384  0
> nft_masq               16384  0
> nft_nat                16384  0
> nft_numgen             16384  0
> nft_objref             16384  0
> nft_quota              16384  0
> nft_redir              16384  0
> nft_reject             16384  3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
> nft_reject_inet        16384  0
> nft_reject_ipv4        16384  0
> nft_reject_ipv6        16384  0
> 
> iptable_nat module isn't loaded:
> # lsmod | grep ipt
> #
> 
> 
> Anybody know what is wrong? or how I can (easily) find out what is wrong?
> 
> Thanks.
> 
> ---
> Norbert

Re: cannot create a nat type base (pre/post routing) chain

[Pablo Neira Ayuso]

On Wed, Apr 29, 2020 at 11:36:13AM +0200, Norbert van Bolhuis wrote:
[...]
> I guess it's some kind of openwrt nf_tables (module) build/incompatibility problem!?

Your lsmod listing does not show nft_chain_nat, this module should
autoload when you invoke:

        add chain nat prerouting { type nat hook prerouting priority 0 ; }

Did you try modinfo / modprobe nft_chain_nat manually to check if you
can reach this module?

Re: cannot create a nat type base (pre/post routing) chain

[Norbert van Bolhuis]

On 2020-04-29 11:44, Pablo Neira Ayuso wrote:
> On Wed, Apr 29, 2020 at 11:36:13AM +0200, Norbert van Bolhuis wrote:
> [...]
>> I guess it's some kind of openwrt nf_tables (module) build/incompatibility problem!?
> 
> Your lsmod listing does not show nft_chain_nat, this module should
> autoload when you invoke:
> 
>          add chain nat prerouting { type nat hook prerouting priority 0 ; }
> 
> Did you try modinfo / modprobe nft_chain_nat manually to check if you
> can reach this module?
> 


No, I didn't.

I do remember looking for the nft_chain_nat module, but I guess couldn't find it.

I guess this could be it. I may try later to see if this resolves the problem.

Thanks for your answer.