[nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 3479 bytes --]

Since the ruleset that worked with kernel 4.19 did not anymore with 
kernel 5.4 (throwing segfault) I started from scratch to see what gives.

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter output    { type filter hook output priority 0 
\; }
nft add table inet nat

Thus far good and then things go awry and the output does not help to 
understand what might be wrong:

nft add chain inet nat prerouting { type nat hook prerouting priority 
\-100 \; }
nft: unrecognized option: 1

and next up

nft add chain inet nat postrouting { type nat hook postrouting priority 
100 \; }
Error: Could not process rule: No such file or directory

Has there been some syntax change for NAT?  Checked the kconf and loaded 
module but don't see anything amiss?

xzgrep _NAT /proc/config.gz
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NFT_NAT=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_NAT=m
CONFIG_IP6_NF_NAT=m
CONFIG_BRIDGE_EBT_T_NAT=m
# CONFIG_NET_ACT_NAT is not set

lsmod | grep 'nf_nat\|nft_nat'
nf_nat_amanda          16384  0
nf_conntrack_amanda    16384  4 nf_nat_amanda
nft_nat                16384  0
nf_tables             114688  28 
nft_ct,nft_reject_bridge,nft_nat,nft_numgen,nft_fwd_netdev,nf_flow_table_ipv6,nft_redir,nf_flow_table_ipv4,nft_fib_inet,nft_reject,nft_reject_ipv6,nft_reject_ipv4,nft_limit,nf_tables_set,nft_dup_netdev,nft_flow_offload,nf_flow_table_inet,nft_meta_bridge,nft_masq,nft_fib,nft_reject_inet,nft_fib_ipv6,nft_objref,nft_fib_ipv4,nft_hash,nft_quota,nft_counter,nft_log
nf_nat_tftp            16384  0
nf_nat_snmp_basic      16384  0
nf_nat_sip             20480  0
nf_nat_pptp            16384  0
nf_nat_irc             16384  0
nf_nat_h323            16384  0
nf_nat_ftp             16384  0
nf_nat                 32768  14 
nft_nat,nf_nat_pptp,nft_redir,xt_nat,nf_nat_h323,nf_nat_sip,nf_nat_irc,xt_MASQUERADE,iptable_nat,nft_masq,nf_nat_ftp,nf_nat_amanda,xt_REDIRECT,nf_nat_tftp
nf_conntrack_tftp      16384  4 nf_nat_tftp
nf_conntrack_snmp      16384  4 nf_nat_snmp_basic
nf_conntrack_sip       28672  7 nf_nat_sip
nf_conntrack_pptp      16384  4 nf_nat_pptp
nf_conntrack_irc       16384  4 nf_nat_irc
nf_conntrack_h323      45056  7 nf_nat_h323
nf_conntrack_ftp       16384  4 nf_nat_ftp
nf_conntrack           81920  39 
nft_ct,xt_state,nft_nat,nf_nat_pptp,nf_conntrack_sip,nft_redir,act_ctinfo,nf_conntrack_snmp,nf_conncount,nf_conntrack_irc,xt_nat,nf_nat_h323,act_connmark,nf_flow_table,nf_conntrack_ftp,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_tftp,nft_flow_offload,nf_nat_irc,xt_MASQUERADE,xt_connmark,nf_conntrack_pptp,nft_masq,nf_conntrack_amanda,nf_conntrack_rtcache,xt_helper,nf_conntrack_broadcast,nf_nat_ftp,nf_nat_amanda,xt_connlimit,nf_conntrack_netlink,xt_connbytes,xt_CT,nf_conntrack_h323,xt_conntrack,xt_REDIRECT,nf_nat_tftp,nf_nat
asn1_decoder           16384  2 nf_nat_snmp_basic,rsa_generic

[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
> 5.4 (throwing segfault) I started from scratch to see what gives.
> 
> nft add table inet filter
> nft add chain inet filter input { type filter hook input priority 0 \; }
> nft add chain inet filter forward { type filter hook forward priority 0 \; }
> nft add chain inet filter output    { type filter hook output priority 0 \;
> }
> nft add table inet nat
> 
> Thus far good and then things go awry and the output does not help to
> understand what might be wrong:
> 
> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
> \; }
> nft: unrecognized option: 1

If you use the shell, you should use single-quote for the entire
arguments.  nft 'add chain ...'

here, nft thinks you passed '-1' as an option.

> and next up
> 
> nft add chain inet nat postrouting { type nat hook postrouting priority 100
> \; }
> Error: Could not process rule: No such file or directory

inet nat depends on CONFIG_NF_TABLES_INET.

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 1505 bytes --]

On 23/06/2020 21:23, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
>> 5.4 (throwing segfault) I started from scratch to see what gives.
>>
>> nft add table inet filter
>> nft add chain inet filter input { type filter hook input priority 0 \; }
>> nft add chain inet filter forward { type filter hook forward priority 0 \; }
>> nft add chain inet filter output    { type filter hook output priority 0 \;
>> }
>> nft add table inet nat
>>
>> Thus far good and then things go awry and the output does not help to
>> understand what might be wrong:
>>
>> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
>> \; }
>> nft: unrecognized option: 1
> If you use the shell, you should use single-quote for the entire
> arguments.  nft 'add chain ...'
>
> here, nft thinks you passed '-1' as an option.

Thanks for the pointer, I just copied that from the wiki though...

>
>> and next up
>>
>> nft add chain inet nat postrouting { type nat hook postrouting priority 100
>> \; }
>> Error: Could not process rule: No such file or directory
> inet nat depends on CONFIG_NF_TABLES_INET.

That is apparently enabled in the kernel

xzgrep NF_TABLES /proc/config.gz
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_SET=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=m

[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> On 23/06/2020 21:23, Florian Westphal wrote:
> > ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> > > Since the ruleset that worked with kernel 4.19 did not anymore with kernel
> > > 5.4 (throwing segfault) I started from scratch to see what gives.
> > > 
> > > nft add table inet filter
> > > nft add chain inet filter input { type filter hook input priority 0 \; }
> > > nft add chain inet filter forward { type filter hook forward priority 0 \; }
> > > nft add chain inet filter output    { type filter hook output priority 0 \;
> > > }
> > > nft add table inet nat
> > > 
> > > Thus far good and then things go awry and the output does not help to
> > > understand what might be wrong:
> > > 
> > > nft add chain inet nat prerouting { type nat hook prerouting priority \-100
> > > \; }
> > > nft: unrecognized option: 1
> > If you use the shell, you should use single-quote for the entire
> > arguments.  nft 'add chain ...'
> > 
> > here, nft thinks you passed '-1' as an option.
> 
> Thanks for the pointer, I just copied that from the wiki though...

I've changed quoting style to nft 'add chain ...'.

> > > Error: Could not process rule: No such file or directory
> > inet nat depends on CONFIG_NF_TABLES_INET.
> 
> That is apparently enabled in the kernel
> 
> xzgrep NF_TABLES /proc/config.gz
> CONFIG_NF_TABLES=m
> CONFIG_NF_TABLES_SET=m
> CONFIG_NF_TABLES_INET=y

yup, looks good.

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 1640 bytes --]

On 23/06/2020 21:52, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> On 23/06/2020 21:23, Florian Westphal wrote:
>>> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>>>> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
>>>> 5.4 (throwing segfault) I started from scratch to see what gives.
>>>>
>>>> nft add table inet filter
>>>> nft add chain inet filter input { type filter hook input priority 0 \; }
>>>> nft add chain inet filter forward { type filter hook forward priority 0 \; }
>>>> nft add chain inet filter output    { type filter hook output priority 0 \;
>>>> }
>>>> nft add table inet nat
>>>>
>>>> Thus far good and then things go awry and the output does not help to
>>>> understand what might be wrong:
>>>>
>>>> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
>>>> \; }
>>>> nft: unrecognized option: 1
>>> If you use the shell, you should use single-quote for the entire
>>> arguments.  nft 'add chain ...'
>>>
>>> here, nft thinks you passed '-1' as an option.
>> Thanks for the pointer, I just copied that from the wiki though...
> I've changed quoting style to nft 'add chain ...'.
>
>>>> Error: Could not process rule: No such file or directory
>>> inet nat depends on CONFIG_NF_TABLES_INET.
>> That is apparently enabled in the kernel
>>
>> xzgrep NF_TABLES /proc/config.gz
>> CONFIG_NF_TABLES=m
>> CONFIG_NF_TABLES_SET=m
>> CONFIG_NF_TABLES_INET=y
> yup, looks good.

It should work then but somehow does not, any way to figure out what is 
going wrong then? I would rather prefer not having to return to IPT.



[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> It should work then but somehow does not, any way to figure out what is
> going wrong then? I would rather prefer not having to return to IPT.

Works for me on 5.6.18:
table inet nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
        }
}

load with nft -f.

If it doesn't work, try 'table ip nat' or 'table ip6 nat'.

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 1750 bytes --]

On 23/06/2020 22:48, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> It should work then but somehow does not, any way to figure out what is
>> going wrong then? I would rather prefer not having to return to IPT.
> Works for me on 5.6.18:
> table inet nat {
>          chain prerouting {
>                  type nat hook prerouting priority -100; policy accept;
>          }
>
>          chain input {
>                  type nat hook input priority 100; policy accept;
>          }
>
>          chain output {
>                  type nat hook output priority -100; policy accept;
>          }
>
>          chain postrouting {
>                  type nat hook postrouting priority 100; policy accept;
>          }
> }
>
> load with nft -f.
>
> If it doesn't work, try 'table ip nat' or 'table ip6 nat'.

Afraid, neither variation works, each throwing

/etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file 
or directory
         chain prerouting {
               ^^^^^^^^^^
/etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file 
or directory
         chain input {
               ^^^^^
/etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file 
or directory
         chain output {
               ^^^^^^
/etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file 
or directory
         chain postrouting {
               ^^^^^^^^^^^

Don't know whether txt attachments are accepted on this ML but enclosed 
full debug output (if its gets through), through it does not seem to 
reveal anything useful?

Could this be a bug in the kernel?



[-- Attachment #1.1.2: debug_log.txt --]
[-- Type: text/plain, Size: 48648 bytes --]


~# nft --debug all -cf "/etc/fw/test.conf"
Entering state 0
Reducing stack by rule 1 (line 808):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 253 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 11
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 449 ("ip6")
Next token is token "ip6" (: )
Shifting token "ip6" (: )
Entering state 37
Reducing stack by rule 303 (line 2161):
   $1 = token "ip6" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 11
Entering state 49
Reducing stack by rule 301 (line 2157):
   $1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 11
Entering state 48
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 48
Entering state 276
Reducing stack by rule 308 (line 2168):
   $1 = nterm family_spec (: )
   $2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 11
Entering state 61
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Reducing stack by rule 162 (line 1486):
-> $$ = nterm table_block_alloc (: )
Stack now 0 1 11 61
Entering state 373
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 908
Reducing stack by rule 164 (line 1506):
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
   $1 = nterm table_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("prerouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
   $1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("                ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("prerouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 234 ("-")
Next token is token "-" (: )
Shifting token "-" (: )
Entering state 1598
Reading a token: --accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1649
Reducing stack by rule 286 (line 2082):
   $1 = token "-" (: )
   $2 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
   $1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
   $1 = token "priority" (: )
   $2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
   $1 = token "type" (: )
   $2 = token "string" (: )
   $3 = token "hook" (: )
   $4 = token "string" (: )
   $5 = nterm dev_spec (: )
   $6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
   $1 = nterm chain_block (: )
   $2 = nterm hook_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
   $1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
   $1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
   $1 = token "policy" (: )
   $2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
   $1 = nterm chain_block (: )
   $2 = nterm policy_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
   $1 = nterm table_block (: )
   $2 = token "chain" (: )
   $3 = nterm chain_identifier (: )
   $4 = nterm chain_block_alloc (: )
   $5 = token '{' (: )
   $6 = nterm chain_block (: )
   $7 = token '}' (: )
   $8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
   $1 = nterm table_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("input")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
   $1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("                ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("input")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1599
Reducing stack by rule 285 (line 2081):
   $1 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
   $1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
   $1 = token "priority" (: )
   $2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
   $1 = token "type" (: )
   $2 = token "string" (: )
   $3 = token "hook" (: )
   $4 = token "string" (: )
   $5 = nterm dev_spec (: )
   $6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
   $1 = nterm chain_block (: )
   $2 = nterm hook_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
   $1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
   $1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
   $1 = token "policy" (: )
   $2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
   $1 = nterm chain_block (: )
   $2 = nterm policy_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
   $1 = nterm table_block (: )
   $2 = token "chain" (: )
   $3 = nterm chain_identifier (: )
   $4 = nterm chain_block_alloc (: )
   $5 = token '{' (: )
   $6 = nterm chain_block (: )
   $7 = token '}' (: )
   $8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
   $1 = nterm table_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("output")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
   $1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("                ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("output")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 234 ("-")
Next token is token "-" (: )
Shifting token "-" (: )
Entering state 1598
Reading a token: --accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1649
Reducing stack by rule 286 (line 2082):
   $1 = token "-" (: )
   $2 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
   $1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
   $1 = token "priority" (: )
   $2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
   $1 = token "type" (: )
   $2 = token "string" (: )
   $3 = token "hook" (: )
   $4 = token "string" (: )
   $5 = nterm dev_spec (: )
   $6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
   $1 = nterm chain_block (: )
   $2 = nterm hook_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
   $1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
   $1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
   $1 = token "policy" (: )
   $2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
   $1 = nterm chain_block (: )
   $2 = nterm policy_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
   $1 = nterm table_block (: )
   $2 = token "chain" (: )
   $3 = nterm chain_identifier (: )
   $4 = nterm chain_block_alloc (: )
   $5 = token '{' (: )
   $6 = nterm chain_block (: )
   $7 = token '}' (: )
   $8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
   $1 = nterm table_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("postrouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
   $1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("                ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("postrouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1599
Reducing stack by rule 285 (line 2081):
   $1 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
   $1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
   $1 = token "priority" (: )
   $2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
   $1 = token "type" (: )
   $2 = token "string" (: )
   $3 = token "hook" (: )
   $4 = token "string" (: )
   $5 = nterm dev_spec (: )
   $6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
   $1 = nterm chain_block (: )
   $2 = nterm hook_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
   $1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
   $1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
   $1 = token "policy" (: )
   $2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
   $1 = nterm chain_block (: )
   $2 = nterm policy_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
   $1 = nterm chain_block (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 ("        ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
   $1 = nterm table_block (: )
   $2 = token "chain" (: )
   $3 = nterm chain_identifier (: )
   $4 = nterm chain_block_alloc (: )
   $5 = token '{' (: )
   $6 = nterm chain_block (: )
   $7 = token '}' (: )
   $8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1302
Reducing stack by rule 32 (line 918):
   $1 = token "table" (: )
   $2 = nterm table_spec (: )
   $3 = nterm table_block_alloc (: )
   $4 = token '{' (: )
   $5 = nterm table_block (: )
   $6 = token '}' (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1
Entering state 47
Reducing stack by rule 16 (line 897):
   $1 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 46
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 46
Entering state 275
Reducing stack by rule 14 (line 876):
   $1 = nterm base_cmd (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 45
Reducing stack by rule 2 (line 809):
   $1 = nterm input (: )
   $2 = nterm line (: )
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
----------------        ------------------
|  0000000020  |        | message length |
| 02576 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 02576 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
/etc/fw/test.conf:1:1-2: Evaluate add
table ip6 nat {
^^


/etc/fw/test.conf:3:51-54: Evaluate value
                type nat hook prerouting priority -100; policy accept;
                                                  ^^^^
4294967196

/etc/fw/test.conf:3:64-69: Evaluate value
                type nat hook prerouting priority -100; policy accept;
                                                               ^^^^^^
1

/etc/fw/test.conf:7:46-48: Evaluate value
                type nat hook input priority 100; policy accept;
                                             ^^^
100

/etc/fw/test.conf:7:58-63: Evaluate value
                type nat hook input priority 100; policy accept;
                                                         ^^^^^^
1

/etc/fw/test.conf:11:47-50: Evaluate value
                type nat hook output priority -100; policy accept;
                                              ^^^^
4294967196

/etc/fw/test.conf:11:60-65: Evaluate value
                type nat hook output priority -100; policy accept;
                                                           ^^^^^^
1

/etc/fw/test.conf:15:52-54: Evaluate value
                type nat hook postrouting priority 100; policy accept;
                                                   ^^^
100

/etc/fw/test.conf:15:64-69: Evaluate value
                type nat hook postrouting priority 100; policy accept;
                                                               ^^^^^^
1

ip6 nat prerouting use 0 type nat hook prerouting prio -100 policy accept packets 0 bytes 0
ip6 nat input use 0 type nat hook input prio 100 policy accept packets 0 bytes 0
ip6 nat output use 0 type nat hook output prio -100 policy accept packets 0 bytes 0
ip6 nat postrouting use 0 type nat hook postrouting prio 100 policy accept packets 0 bytes 0
----------------        ------------------
|  0000000020  |        | message length |
| 00016 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000036  |        | message length |
| 02560 | R--- |        |  type | flags  |
|  0000000001  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 0a 00 00 00  |        |  extra header  |
|00008|--|00001|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
|00008|--|00002|        |len |flags| type|
| 00 00 00 00  |        |      data      |
----------------        ------------------
----------------        ------------------
|  0000000080  |        | message length |
| 02563 | R--- |        |  type | flags  |
|  0000000002  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 0a 00 00 00  |        |  extra header  |
|00008|--|00001|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
|00015|--|00003|        |len |flags| type|
| 70 72 65 72  |        |      data      |       p r e r
| 6f 75 74 69  |        |      data      |       o u t i
| 6e 67 00 00  |        |      data      |       n g
|00020|N-|00004|        |len |flags| type|
|00008|--|00001|        |len |flags| type|
| 00 00 00 00  |        |      data      |
|00008|--|00002|        |len |flags| type|
| ff ff ff 9c  |        |      data      |
|00008|--|00005|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00007|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
----------------        ------------------
----------------        ------------------
|  0000000076  |        | message length |
| 02563 | R--- |        |  type | flags  |
|  0000000003  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 0a 00 00 00  |        |  extra header  |
|00008|--|00001|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
|00010|--|00003|        |len |flags| type|
| 69 6e 70 75  |        |      data      |       i n p u
| 74 00 00 00  |        |      data      |       t
|00020|N-|00004|        |len |flags| type|
|00008|--|00001|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00002|        |len |flags| type|
| 00 00 00 64  |        |      data      |             d
|00008|--|00005|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00007|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
----------------        ------------------
----------------        ------------------
|  0000000076  |        | message length |
| 02563 | R--- |        |  type | flags  |
|  0000000004  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 0a 00 00 00  |        |  extra header  |
|00008|--|00001|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
|00011|--|00003|        |len |flags| type|
| 6f 75 74 70  |        |      data      |       o u t p
| 75 74 00 00  |        |      data      |       u t
|00020|N-|00004|        |len |flags| type|
|00008|--|00001|        |len |flags| type|
| 00 00 00 03  |        |      data      |
|00008|--|00002|        |len |flags| type|
| ff ff ff 9c  |        |      data      |
|00008|--|00005|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00007|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
----------------        ------------------
----------------        ------------------
|  0000000080  |        | message length |
| 02563 | R--- |        |  type | flags  |
|  0000000005  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 0a 00 00 00  |        |  extra header  |
|00008|--|00001|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
|00016|--|00003|        |len |flags| type|
| 70 6f 73 74  |        |      data      |       p o s t
| 72 6f 75 74  |        |      data      |       r o u t
| 69 6e 67 00  |        |      data      |       i n g
|00020|N-|00004|        |len |flags| type|
|00008|--|00001|        |len |flags| type|
| 00 00 00 04  |        |      data      |
|00008|--|00002|        |len |flags| type|
| 00 00 00 64  |        |      data      |             d
|00008|--|00005|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00007|        |len |flags| type|
| 6e 61 74 00  |        |      data      |       n a t
----------------        ------------------
/etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or directory
        chain prerouting {
              ^^^^^^^^^^
/etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or directory
        chain input {
              ^^^^^
/etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or directory
        chain output {
              ^^^^^^
/etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or directory
        chain postrouting {
              ^^^^^^^^^^^

[-- Attachment #1.1.3: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Afraid, neither variation works, each throwing
> 
> /etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or
> directory
>         chain prerouting {
>               ^^^^^^^^^^
> /etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or
> directory
>         chain input {
>               ^^^^^
> /etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or
> directory
>         chain output {
>               ^^^^^^
> /etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or
> directory
>         chain postrouting {
>               ^^^^^^^^^^^
> 
> Don't know whether txt attachments are accepted on this ML but enclosed full
> debug output (if its gets through), through it does not seem to reveal
> anything useful?

No.

> Could this be a bug in the kernel?

Its a kernel bug, or misconfiguration. Nat hook is provided via

 modinfo nft_chain_nat
 filename:
 /lib/modules/5.6.18/kernel/net/netfilter/nft_chain_nat.ko.gz
 alias:          nft-chain-1-nat
 alias:          nft-chain-10-nat
 alias:          nft-chain-2-nat
 license:        GPL
 srcversion:     45E82B99D3993871BD6131E
 depends:        nf_nat,nf_tables
 intree:         Y
 name:           nft_chain_nat
 vermagic:       5.6.18 SMP preempt mod_unload modversions 

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 2680 bytes --]

On 24/06/2020 08:14, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> Afraid, neither variation works, each throwing
>>
>> /etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or
>> directory
>>          chain prerouting {
>>                ^^^^^^^^^^
>> /etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or
>> directory
>>          chain input {
>>                ^^^^^
>> /etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or
>> directory
>>          chain output {
>>                ^^^^^^
>> /etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or
>> directory
>>          chain postrouting {
>>                ^^^^^^^^^^^
>>
>> Don't know whether txt attachments are accepted on this ML but enclosed full
>> debug output (if its gets through), through it does not seem to reveal
>> anything useful?
> No.
>
>> Could this be a bug in the kernel?
> Its a kernel bug, or misconfiguration. Nat hook is provided via
>
>   modinfo nft_chain_nat
>   filename:
>   /lib/modules/5.6.18/kernel/net/netfilter/nft_chain_nat.ko.gz
>   alias:          nft-chain-1-nat
>   alias:          nft-chain-10-nat
>   alias:          nft-chain-2-nat
>   license:        GPL
>   srcversion:     45E82B99D3993871BD6131E
>   depends:        nf_nat,nf_tables
>   intree:         Y
>   name:           nft_chain_nat
>   vermagic:       5.6.18 SMP preempt mod_unload modversions

Getting somewhere now, unless there are different kconf flags in 5.6 for 
building that module, least on this node with 5.4:

modinfo: ERROR: Module alias nft_chain_nat not found.

Which kconf flag is supposed to generate that particular module? Looked 
into https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig 
but could not find something specific that builds that module.

This node's repo ships:

kmod-nft-core:
/lib/modules/5.4.48/nft_reject.ko
/lib/modules/5.4.48/nft_reject_ipv4.ko
/lib/modules/5.4.48/nf_tables_set.ko
/lib/modules/5.4.48/nft_numgen.ko
/lib/modules/5.4.48/nft_counter.ko
/lib/modules/5.4.48/nft_reject_ipv6.ko
/lib/modules/5.4.48/nft_ct.ko
/lib/modules/5.4.48/nf_tables.ko
/lib/modules/5.4.48/nft_redir.ko
/lib/modules/5.4.48/nft_limit.ko
/lib/modules/5.4.48/nft_hash.ko
/lib/modules/5.4.48/nft_objref.ko
/lib/modules/5.4.48/nft_reject_inet.ko
/lib/modules/5.4.48/nft_quota.ko
/lib/modules/5.4.48/nft_log.ko

kmod-nft-nat:
/lib/modules/5.4.48/nft_masq.ko
/lib/modules/5.4.48/nft_nat.ko

kmod-nft-nat6:
appears to be an empty package


[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
 
> Getting somewhere now, unless there are different kconf flags in 5.6 for
> building that module, least on this node with 5.4:
> 
> modinfo: ERROR: Module alias nft_chain_nat not found.
> 
> Which kconf flag is supposed to generate that particular module? Looked into
> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
> not find something specific that builds that module.

https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile

-> CONFIG_NFT_NAT

... which you seem to have enabled already.
So I would guess that the build system used doesn't pick the module up
for some reason.

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 862 bytes --]

On 24/06/2020 08:53, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>   
>> Getting somewhere now, unless there are different kconf flags in 5.6 for
>> building that module, least on this node with 5.4:
>>
>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>
>> Which kconf flag is supposed to generate that particular module? Looked into
>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
>> not find something specific that builds that module.
> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>
> -> CONFIG_NFT_NAT
>
> ... which you seem to have enabled already.
> So I would guess that the build system used doesn't pick the module up
> for some reason.

Thank you for the assistance. Will take it up with the distro 
maintainers to take a look at their build system.

[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Duncan Roe]

On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
> On 24/06/2020 08:53, Florian Westphal wrote:
> > ????????????? <vtol@gmx.net> wrote:
> > > Getting somewhere now, unless there are different kconf flags in 5.6 for
> > > building that module, least on this node with 5.4:
> > >
> > > modinfo: ERROR: Module alias nft_chain_nat not found.
> > >
> > > Which kconf flag is supposed to generate that particular module? Looked into
> > > https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
> > > not find something specific that builds that module.
> > https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
> >
> > -> CONFIG_NFT_NAT
> >
> > ... which you seem to have enabled already.
> > So I would guess that the build system used doesn't pick the module up
> > for some reason.
>
> Thank you for the assistance. Will take it up with the distro maintainers to
> take a look at their build system.

What is your distro BTW?

In the meantime, maybe a depmod would help, if you haven't already tried that.

Cheers ... Duncan.

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 1379 bytes --]


On 25/06/2020 01:45, Duncan Roe wrote:
> On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
>> On 24/06/2020 08:53, Florian Westphal wrote:
>>> ????????????? <vtol@gmx.net> wrote:
>>>> Getting somewhere now, unless there are different kconf flags in 5.6 for
>>>> building that module, least on this node with 5.4:
>>>>
>>>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>>>
>>>> Which kconf flag is supposed to generate that particular module? Looked into
>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
>>>> not find something specific that builds that module.
>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>>>
>>> -> CONFIG_NFT_NAT
>>>
>>> ... which you seem to have enabled already.
>>> So I would guess that the build system used doesn't pick the module up
>>> for some reason.
>> Thank you for the assistance. Will take it up with the distro maintainers to
>> take a look at their build system.
> What is your distro BTW?

OpenWrt, whilst revolving around routers it is not NFT centric.

>
> In the meantime, maybe a depmod would help, if you haven't already tried that.
>
> Cheers ... Duncan.

Does not work with the distro as it does not provide the necessary 
directories /lib/modules/$(uname -r)/modules.order and 
/lib/modules/$(uname -r)/modules.builtin

[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[ѽ҉ᶬḳ℠]

[-- Attachment #1.1.1: Type: text/plain, Size: 2318 bytes --]

On 25/06/2020 07:13, ѽ҉ᶬḳ℠ wrote:
>
> On 25/06/2020 01:45, Duncan Roe wrote:
>> On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
>>> On 24/06/2020 08:53, Florian Westphal wrote:
>>>> ????????????? <vtol@gmx.net> wrote:
>>>>> Getting somewhere now, unless there are different kconf flags in 
>>>>> 5.6 for
>>>>> building that module, least on this node with 5.4:
>>>>>
>>>>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>>>>
>>>>> Which kconf flag is supposed to generate that particular module? 
>>>>> Looked into
>>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig 
>>>>> but could
>>>>> not find something specific that builds that module.
>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>>>>
>>>> -> CONFIG_NFT_NAT
>>>>
>>>> ... which you seem to have enabled already.
>>>> So I would guess that the build system used doesn't pick the module up
>>>> for some reason.
>>> Thank you for the assistance. Will take it up with the distro 
>>> maintainers to
>>> take a look at their build system.
>> What is your distro BTW?
>
> OpenWrt, whilst revolving around routers it is not NFT centric.
>
>>
>> In the meantime, maybe a depmod would help, if you haven't already 
>> tried that.
>>
>> Cheers ... Duncan.
>
> Does not work with the distro as it does not provide the necessary 
> directories /lib/modules/$(uname -r)/modules.order and 
> /lib/modules/$(uname -r)/modules.builtin

Alternatively there is - oddly none exhibiting a dependency on 
nft_chain_nat:

ls /lib/modules/$(uname -r) | grep nat
iptable_nat.ko
nf_nat.ko
nf_nat_amanda.ko
nf_nat_ftp.ko
nf_nat_h323.ko
nf_nat_irc.ko
nf_nat_pptp.ko
nf_nat_sip.ko
nf_nat_snmp_basic.ko
nf_nat_tftp.ko
nft_nat.ko
xt_nat.ko

modprobe -D nf_nat
insmod /lib/modules/5.4.48/nf_defrag_ipv4.ko
insmod /lib/modules/5.4.48/nf_defrag_ipv6.ko
insmod /lib/modules/5.4.48/nf_conntrack.ko
insmod /lib/modules/5.4.48/nf_nat.ko

modprobe -D nft_nat
insmod /lib/modules/5.4.48/nf_defrag_ipv4.ko
insmod /lib/modules/5.4.48/nf_defrag_ipv6.ko
insmod /lib/modules/5.4.48/nf_conntrack.ko
insmod /lib/modules/5.4.48/nf_nat.ko
insmod /lib/modules/5.4.48/nfnetlink.ko
insmod /lib/modules/5.4.48/nf_tables.ko
insmod /lib/modules/5.4.48/nft_nat.ko

[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work

[Duncan Roe]

On Thu, Jun 25, 2020 at 08:45:00AM +0000, ????????????? wrote:
> On 25/06/2020 07:13, ????????????? wrote:
[...]
> > 
> > OpenWrt, whilst revolving around routers it is not NFT centric.
> > 
[...]
> > 
> > Does not work with the distro as it does not provide the necessary
> > directories /lib/modules/$(uname -r)/modules.order and
> > /lib/modules/$(uname -r)/modules.builtin

That is odd. The 2 files are approx 130KB and 13KB and are always produced in a
kernel build.
> 
> Alternatively there is - oddly none exhibiting a dependency on
> nft_chain_nat:
> 
nft_chain_nat depends on nf_nat & nf_tables, not vice versa.
The kernel loads it in respone to the netlink message generated by
> nft 'add chain inet nat prerouting...

I can't reproduce what you see even with these revisions:

# nft --version
nftables v0.9.3 (Topsy)
# ls -1 /usr/lib64/libnftnl*
/usr/lib64/libnftnl.so
/usr/lib64/libnftnl.so.11
/usr/lib64/libnftnl.so.11.2.0
# uname -r
5.4.48

If you modprobe nft_chain_nat as part of the boot process, you should of course
be fine.
To explore the problem further, I would build a 5.4.48 kernel from kernel.org
source, using the .config you have. As long as you have a spare 6G disc space,
you gould git clone
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (6GB allows for a
build).

Cheers ... Duncan.