* autoload of nft modules
@ 2016-04-27 8:52 Daniel Wagner
2016-04-27 12:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Wagner @ 2016-04-27 8:52 UTC (permalink / raw)
To: netfilter; +Cc: connman, Dragos Tatulea
Hi,
Dragos and I are working on getting nft support into ConnMan [1]. Now we
face a small problem with the rule we load, which are essentially:
nft add table connman
nft add chain connman nat-prerouting \
{ type nat hook prerouting priortiy 0 ; }
nft add chain connman nat-postrouting \
{ type nat hook postrouting priortiy 0 ; }
nft add chain connman filter-output \
{ type filter hook output priority 0 ; }
These work nicely using the nft CLI but when we run those commands
via libnftnl after a fresh reboot of the system, there is a ENOENT at
the third rule.
If though all related modules are loaded (e.g. via running the nft cli
first) there is no problem.
So my question is, do we need to load the modules our self first or
should the kernel load the modules by itself?
That is observed with libnftnl 1.0.5 and kernel 4.4.6.
cheers,
daniel
[1] https://lists.01.org/pipermail/connman/2016-April/000643.html
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: autoload of nft modules
2016-04-27 8:52 autoload of nft modules Daniel Wagner
@ 2016-04-27 12:54 ` Pablo Neira Ayuso
2016-04-29 5:33 ` Daniel Wagner
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-04-27 12:54 UTC (permalink / raw)
To: Daniel Wagner; +Cc: netfilter, connman, Dragos Tatulea
On Wed, Apr 27, 2016 at 10:52:13AM +0200, Daniel Wagner wrote:
> Hi,
>
> Dragos and I are working on getting nft support into ConnMan [1]. Now we
> face a small problem with the rule we load, which are essentially:
>
> nft add table connman
> nft add chain connman nat-prerouting \
> { type nat hook prerouting priortiy 0 ; }
> nft add chain connman nat-postrouting \
> { type nat hook postrouting priortiy 0 ; }
> nft add chain connman filter-output \
> { type filter hook output priority 0 ; }
>
> These work nicely using the nft CLI but when we run those commands
> via libnftnl after a fresh reboot of the system, there is a ENOENT at
> the third rule.
Most likely you're missing the NLM_F_CREATE flags in your netlink
messages.
Please, send us patches for the example so other don't hit this
problem.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: autoload of nft modules
2016-04-27 12:54 ` Pablo Neira Ayuso
@ 2016-04-29 5:33 ` Daniel Wagner
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Wagner @ 2016-04-29 5:33 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter, connman, Dragos Tatulea
On 04/27/2016 02:54 PM, Pablo Neira Ayuso wrote:
> On Wed, Apr 27, 2016 at 10:52:13AM +0200, Daniel Wagner wrote:
>> Dragos and I are working on getting nft support into ConnMan [1]. Now we
>> face a small problem with the rule we load, which are essentially:
>>
>> nft add table connman
>> nft add chain connman nat-prerouting \
>> { type nat hook prerouting priortiy 0 ; }
>> nft add chain connman nat-postrouting \
>> { type nat hook postrouting priortiy 0 ; }
>> nft add chain connman filter-output \
>> { type filter hook output priority 0 ; }
>>
>> These work nicely using the nft CLI but when we run those commands
>> via libnftnl after a fresh reboot of the system, there is a ENOENT at
>> the third rule.
>
> Most likely you're missing the NLM_F_CREATE flags in your netlink
> messages.
Yes, that did they the trick.
> Please, send us patches for the example so other don't hit this
> problem.
Will do.
thanks,
daniel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-29 5:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-27 8:52 autoload of nft modules Daniel Wagner
2016-04-27 12:54 ` Pablo Neira Ayuso
2016-04-29 5:33 ` Daniel Wagner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox