* [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
@ 2020-06-23 20:38 ѽ҉ᶬḳ℠
2020-06-23 21:23 ` Florian Westphal
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-23 20:38 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1.1: Type: text/plain, Size: 3479 bytes --]
Since the ruleset that worked with kernel 4.19 did not anymore with
kernel 5.4 (throwing segfault) I started from scratch to see what gives.
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter output { type filter hook output priority 0
\; }
nft add table inet nat
Thus far good and then things go awry and the output does not help to
understand what might be wrong:
nft add chain inet nat prerouting { type nat hook prerouting priority
\-100 \; }
nft: unrecognized option: 1
and next up
nft add chain inet nat postrouting { type nat hook postrouting priority
100 \; }
Error: Could not process rule: No such file or directory
Has there been some syntax change for NAT? Checked the kconf and loaded
module but don't see anything amiss?
xzgrep _NAT /proc/config.gz
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NFT_NAT=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_NAT=m
CONFIG_IP6_NF_NAT=m
CONFIG_BRIDGE_EBT_T_NAT=m
# CONFIG_NET_ACT_NAT is not set
lsmod | grep 'nf_nat\|nft_nat'
nf_nat_amanda 16384 0
nf_conntrack_amanda 16384 4 nf_nat_amanda
nft_nat 16384 0
nf_tables 114688 28
nft_ct,nft_reject_bridge,nft_nat,nft_numgen,nft_fwd_netdev,nf_flow_table_ipv6,nft_redir,nf_flow_table_ipv4,nft_fib_inet,nft_reject,nft_reject_ipv6,nft_reject_ipv4,nft_limit,nf_tables_set,nft_dup_netdev,nft_flow_offload,nf_flow_table_inet,nft_meta_bridge,nft_masq,nft_fib,nft_reject_inet,nft_fib_ipv6,nft_objref,nft_fib_ipv4,nft_hash,nft_quota,nft_counter,nft_log
nf_nat_tftp 16384 0
nf_nat_snmp_basic 16384 0
nf_nat_sip 20480 0
nf_nat_pptp 16384 0
nf_nat_irc 16384 0
nf_nat_h323 16384 0
nf_nat_ftp 16384 0
nf_nat 32768 14
nft_nat,nf_nat_pptp,nft_redir,xt_nat,nf_nat_h323,nf_nat_sip,nf_nat_irc,xt_MASQUERADE,iptable_nat,nft_masq,nf_nat_ftp,nf_nat_amanda,xt_REDIRECT,nf_nat_tftp
nf_conntrack_tftp 16384 4 nf_nat_tftp
nf_conntrack_snmp 16384 4 nf_nat_snmp_basic
nf_conntrack_sip 28672 7 nf_nat_sip
nf_conntrack_pptp 16384 4 nf_nat_pptp
nf_conntrack_irc 16384 4 nf_nat_irc
nf_conntrack_h323 45056 7 nf_nat_h323
nf_conntrack_ftp 16384 4 nf_nat_ftp
nf_conntrack 81920 39
nft_ct,xt_state,nft_nat,nf_nat_pptp,nf_conntrack_sip,nft_redir,act_ctinfo,nf_conntrack_snmp,nf_conncount,nf_conntrack_irc,xt_nat,nf_nat_h323,act_connmark,nf_flow_table,nf_conntrack_ftp,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_tftp,nft_flow_offload,nf_nat_irc,xt_MASQUERADE,xt_connmark,nf_conntrack_pptp,nft_masq,nf_conntrack_amanda,nf_conntrack_rtcache,xt_helper,nf_conntrack_broadcast,nf_nat_ftp,nf_nat_amanda,xt_connlimit,nf_conntrack_netlink,xt_connbytes,xt_CT,nf_conntrack_h323,xt_conntrack,xt_REDIRECT,nf_nat_tftp,nf_nat
asn1_decoder 16384 2 nf_nat_snmp_basic,rsa_generic
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 20:38 [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work ѽ҉ᶬḳ℠
@ 2020-06-23 21:23 ` Florian Westphal
2020-06-23 21:34 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Florian Westphal @ 2020-06-23 21:23 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠; +Cc: netfilter
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
> 5.4 (throwing segfault) I started from scratch to see what gives.
>
> nft add table inet filter
> nft add chain inet filter input { type filter hook input priority 0 \; }
> nft add chain inet filter forward { type filter hook forward priority 0 \; }
> nft add chain inet filter output { type filter hook output priority 0 \;
> }
> nft add table inet nat
>
> Thus far good and then things go awry and the output does not help to
> understand what might be wrong:
>
> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
> \; }
> nft: unrecognized option: 1
If you use the shell, you should use single-quote for the entire
arguments. nft 'add chain ...'
here, nft thinks you passed '-1' as an option.
> and next up
>
> nft add chain inet nat postrouting { type nat hook postrouting priority 100
> \; }
> Error: Could not process rule: No such file or directory
inet nat depends on CONFIG_NF_TABLES_INET.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 21:23 ` Florian Westphal
@ 2020-06-23 21:34 ` ѽ҉ᶬḳ℠
2020-06-23 21:52 ` Florian Westphal
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-23 21:34 UTC (permalink / raw)
To: netfilter@vger.kernel.org; +Cc: Florian Westphal
[-- Attachment #1.1.1: Type: text/plain, Size: 1505 bytes --]
On 23/06/2020 21:23, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
>> 5.4 (throwing segfault) I started from scratch to see what gives.
>>
>> nft add table inet filter
>> nft add chain inet filter input { type filter hook input priority 0 \; }
>> nft add chain inet filter forward { type filter hook forward priority 0 \; }
>> nft add chain inet filter output { type filter hook output priority 0 \;
>> }
>> nft add table inet nat
>>
>> Thus far good and then things go awry and the output does not help to
>> understand what might be wrong:
>>
>> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
>> \; }
>> nft: unrecognized option: 1
> If you use the shell, you should use single-quote for the entire
> arguments. nft 'add chain ...'
>
> here, nft thinks you passed '-1' as an option.
Thanks for the pointer, I just copied that from the wiki though...
>
>> and next up
>>
>> nft add chain inet nat postrouting { type nat hook postrouting priority 100
>> \; }
>> Error: Could not process rule: No such file or directory
> inet nat depends on CONFIG_NF_TABLES_INET.
That is apparently enabled in the kernel
xzgrep NF_TABLES /proc/config.gz
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_SET=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=m
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 21:34 ` ѽ҉ᶬḳ℠
@ 2020-06-23 21:52 ` Florian Westphal
2020-06-23 22:12 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Florian Westphal @ 2020-06-23 21:52 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠
Cc: netfilter@vger.kernel.org, Florian Westphal
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> On 23/06/2020 21:23, Florian Westphal wrote:
> > ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> > > Since the ruleset that worked with kernel 4.19 did not anymore with kernel
> > > 5.4 (throwing segfault) I started from scratch to see what gives.
> > >
> > > nft add table inet filter
> > > nft add chain inet filter input { type filter hook input priority 0 \; }
> > > nft add chain inet filter forward { type filter hook forward priority 0 \; }
> > > nft add chain inet filter output { type filter hook output priority 0 \;
> > > }
> > > nft add table inet nat
> > >
> > > Thus far good and then things go awry and the output does not help to
> > > understand what might be wrong:
> > >
> > > nft add chain inet nat prerouting { type nat hook prerouting priority \-100
> > > \; }
> > > nft: unrecognized option: 1
> > If you use the shell, you should use single-quote for the entire
> > arguments. nft 'add chain ...'
> >
> > here, nft thinks you passed '-1' as an option.
>
> Thanks for the pointer, I just copied that from the wiki though...
I've changed quoting style to nft 'add chain ...'.
> > > Error: Could not process rule: No such file or directory
> > inet nat depends on CONFIG_NF_TABLES_INET.
>
> That is apparently enabled in the kernel
>
> xzgrep NF_TABLES /proc/config.gz
> CONFIG_NF_TABLES=m
> CONFIG_NF_TABLES_SET=m
> CONFIG_NF_TABLES_INET=y
yup, looks good.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 21:52 ` Florian Westphal
@ 2020-06-23 22:12 ` ѽ҉ᶬḳ℠
2020-06-23 22:48 ` Florian Westphal
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-23 22:12 UTC (permalink / raw)
To: netfilter@vger.kernel.org; +Cc: Florian Westphal
[-- Attachment #1.1.1: Type: text/plain, Size: 1640 bytes --]
On 23/06/2020 21:52, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> On 23/06/2020 21:23, Florian Westphal wrote:
>>> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>>>> Since the ruleset that worked with kernel 4.19 did not anymore with kernel
>>>> 5.4 (throwing segfault) I started from scratch to see what gives.
>>>>
>>>> nft add table inet filter
>>>> nft add chain inet filter input { type filter hook input priority 0 \; }
>>>> nft add chain inet filter forward { type filter hook forward priority 0 \; }
>>>> nft add chain inet filter output { type filter hook output priority 0 \;
>>>> }
>>>> nft add table inet nat
>>>>
>>>> Thus far good and then things go awry and the output does not help to
>>>> understand what might be wrong:
>>>>
>>>> nft add chain inet nat prerouting { type nat hook prerouting priority \-100
>>>> \; }
>>>> nft: unrecognized option: 1
>>> If you use the shell, you should use single-quote for the entire
>>> arguments. nft 'add chain ...'
>>>
>>> here, nft thinks you passed '-1' as an option.
>> Thanks for the pointer, I just copied that from the wiki though...
> I've changed quoting style to nft 'add chain ...'.
>
>>>> Error: Could not process rule: No such file or directory
>>> inet nat depends on CONFIG_NF_TABLES_INET.
>> That is apparently enabled in the kernel
>>
>> xzgrep NF_TABLES /proc/config.gz
>> CONFIG_NF_TABLES=m
>> CONFIG_NF_TABLES_SET=m
>> CONFIG_NF_TABLES_INET=y
> yup, looks good.
It should work then but somehow does not, any way to figure out what is
going wrong then? I would rather prefer not having to return to IPT.
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 22:12 ` ѽ҉ᶬḳ℠
@ 2020-06-23 22:48 ` Florian Westphal
2020-06-23 23:11 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Florian Westphal @ 2020-06-23 22:48 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠; +Cc: netfilter@vger.kernel.org
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> It should work then but somehow does not, any way to figure out what is
> going wrong then? I would rather prefer not having to return to IPT.
Works for me on 5.6.18:
table inet nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
}
chain input {
type nat hook input priority 100; policy accept;
}
chain output {
type nat hook output priority -100; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
}
}
load with nft -f.
If it doesn't work, try 'table ip nat' or 'table ip6 nat'.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 22:48 ` Florian Westphal
@ 2020-06-23 23:11 ` ѽ҉ᶬḳ℠
2020-06-24 8:14 ` Florian Westphal
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-23 23:11 UTC (permalink / raw)
To: netfilter@vger.kernel.org; +Cc: Florian Westphal
[-- Attachment #1.1.1: Type: text/plain, Size: 1750 bytes --]
On 23/06/2020 22:48, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> It should work then but somehow does not, any way to figure out what is
>> going wrong then? I would rather prefer not having to return to IPT.
> Works for me on 5.6.18:
> table inet nat {
> chain prerouting {
> type nat hook prerouting priority -100; policy accept;
> }
>
> chain input {
> type nat hook input priority 100; policy accept;
> }
>
> chain output {
> type nat hook output priority -100; policy accept;
> }
>
> chain postrouting {
> type nat hook postrouting priority 100; policy accept;
> }
> }
>
> load with nft -f.
>
> If it doesn't work, try 'table ip nat' or 'table ip6 nat'.
Afraid, neither variation works, each throwing
/etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file
or directory
chain prerouting {
^^^^^^^^^^
/etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file
or directory
chain input {
^^^^^
/etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file
or directory
chain output {
^^^^^^
/etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file
or directory
chain postrouting {
^^^^^^^^^^^
Don't know whether txt attachments are accepted on this ML but enclosed
full debug output (if its gets through), through it does not seem to
reveal anything useful?
Could this be a bug in the kernel?
[-- Attachment #1.1.2: debug_log.txt --]
[-- Type: text/plain, Size: 48648 bytes --]
~# nft --debug all -cf "/etc/fw/test.conf"
Entering state 0
Reducing stack by rule 1 (line 808):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 253 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 11
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 449 ("ip6")
Next token is token "ip6" (: )
Shifting token "ip6" (: )
Entering state 37
Reducing stack by rule 303 (line 2161):
$1 = token "ip6" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 11
Entering state 49
Reducing stack by rule 301 (line 2157):
$1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 11
Entering state 48
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 48
Entering state 276
Reducing stack by rule 308 (line 2168):
$1 = nterm family_spec (: )
$2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 11
Entering state 61
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Reducing stack by rule 162 (line 1486):
-> $$ = nterm table_block_alloc (: )
Stack now 0 1 11 61
Entering state 373
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 908
Reducing stack by rule 164 (line 1506):
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
$1 = nterm table_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("prerouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
$1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("prerouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 234 ("-")
Next token is token "-" (: )
Shifting token "-" (: )
Entering state 1598
Reading a token: --accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1649
Reducing stack by rule 286 (line 2082):
$1 = token "-" (: )
$2 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
$1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
$1 = token "priority" (: )
$2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
$1 = token "type" (: )
$2 = token "string" (: )
$3 = token "hook" (: )
$4 = token "string" (: )
$5 = nterm dev_spec (: )
$6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
$1 = nterm chain_block (: )
$2 = nterm hook_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
$1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
$1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
$1 = token "policy" (: )
$2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
$1 = nterm chain_block (: )
$2 = nterm policy_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
$1 = nterm table_block (: )
$2 = token "chain" (: )
$3 = nterm chain_identifier (: )
$4 = nterm chain_block_alloc (: )
$5 = token '{' (: )
$6 = nterm chain_block (: )
$7 = token '}' (: )
$8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
$1 = nterm table_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("input")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
$1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("input")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1599
Reducing stack by rule 285 (line 2081):
$1 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
$1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
$1 = token "priority" (: )
$2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
$1 = token "type" (: )
$2 = token "string" (: )
$3 = token "hook" (: )
$4 = token "string" (: )
$5 = nterm dev_spec (: )
$6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
$1 = nterm chain_block (: )
$2 = nterm hook_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
$1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
$1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
$1 = token "policy" (: )
$2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
$1 = nterm chain_block (: )
$2 = nterm policy_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
$1 = nterm table_block (: )
$2 = token "chain" (: )
$3 = nterm chain_identifier (: )
$4 = nterm chain_block_alloc (: )
$5 = token '{' (: )
$6 = nterm chain_block (: )
$7 = token '}' (: )
$8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
$1 = nterm table_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("output")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
$1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("output")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 234 ("-")
Next token is token "-" (: )
Shifting token "-" (: )
Entering state 1598
Reading a token: --accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1649
Reducing stack by rule 286 (line 2082):
$1 = token "-" (: )
$2 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
$1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
$1 = token "priority" (: )
$2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
$1 = token "type" (: )
$2 = token "string" (: )
$3 = token "hook" (: )
$4 = token "string" (: )
$5 = nterm dev_spec (: )
$6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
$1 = nterm chain_block (: )
$2 = nterm hook_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
$1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
$1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
$1 = token "policy" (: )
$2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
$1 = nterm chain_block (: )
$2 = nterm policy_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
$1 = nterm table_block (: )
$2 = token "chain" (: )
$3 = nterm chain_identifier (: )
$4 = nterm chain_block_alloc (: )
$5 = token '{' (: )
$6 = nterm chain_block (: )
$7 = token '}' (: )
$8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138
Entering state 1303
Reducing stack by rule 166 (line 1508):
$1 = nterm table_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 255 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 1292
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("postrouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 55
Reducing stack by rule 295 (line 2133):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1404
Reducing stack by rule 312 (line 2202):
$1 = nterm identifier (: )
-> $$ = nterm chain_identifier (: )
Stack now 0 1 11 61 373 908 1138 1292
Entering state 1405
Reducing stack by rule 180 (line 1637):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 11 61 373 908 1138 1292 1405
Entering state 1522
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 215 ("{")
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 1579
Reducing stack by rule 181 (line 1643):
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 387 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1307
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("nat")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1425
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 250 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1533
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 638 ("postrouting")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1590
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 450 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 289 (line 2100):
-> $$ = nterm dev_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590
Entering state 1643
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1545
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 612 ("100")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1599
Reducing stack by rule 285 (line 2081):
$1 = token "number" (: )
-> $$ = nterm int_num (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1604
Reducing stack by rule 280 (line 2025):
$1 = nterm int_num (: )
-> $$ = nterm extended_prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643 1545
Entering state 1603
Reducing stack by rule 277 (line 2011):
$1 = token "priority" (: )
$2 = nterm extended_prio_spec (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1307 1425 1533 1590 1643
Entering state 1689
Reducing stack by rule 276 (line 1983):
$1 = token "type" (: )
$2 = token "string" (: )
$3 = token "hook" (: )
$4 = token "string" (: )
$5 = nterm dev_spec (: )
$6 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1311
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1311
Entering state 1426
Reducing stack by rule 184 (line 1646):
$1 = nterm chain_block (: )
$2 = nterm hook_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 313 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1306
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 274 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1420
Reducing stack by rule 293 (line 2129):
$1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1423
Reducing stack by rule 292 (line 2120):
$1 = nterm chain_policy (: )
-> $$ = nterm policy_expr (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1306
Entering state 1422
Reducing stack by rule 290 (line 2103):
$1 = token "policy" (: )
$2 = nterm policy_expr (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1312
Reading a token: --accepting rule at line 214 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 819):
$1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1312
Entering state 1427
Reducing stack by rule 185 (line 1647):
$1 = nterm chain_block (: )
$2 = nterm policy_spec (: )
$3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630
Entering state 1309
Reducing stack by rule 183 (line 1645):
$1 = nterm chain_block (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579
Entering state 1630
Reading a token: --(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--(end of buffer or a NUL)
--accepting rule at line 653 (" ")
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1664
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 11 61 373 908 1138 1292 1405 1522 1579 1630 1664
Entering state 1699
Reducing stack by rule 168 (line 1510):
$1 = nterm table_block (: )
$2 = token "chain" (: )
$3 = nterm chain_identifier (: )
$4 = nterm chain_block_alloc (: )
$5 = token '{' (: )
$6 = nterm chain_block (: )
$7 = token '}' (: )
$8 = nterm stmt_separator (: )
-> $$ = nterm table_block (: )
Stack now 0 1 11 61 373 908
Entering state 1138
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 216 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1302
Reducing stack by rule 32 (line 918):
$1 = token "table" (: )
$2 = nterm table_spec (: )
$3 = nterm table_block_alloc (: )
$4 = token '{' (: )
$5 = nterm table_block (: )
$6 = token '}' (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1
Entering state 47
Reducing stack by rule 16 (line 897):
$1 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 46
Reading a token: --accepting rule at line 647 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 818):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 46
Entering state 275
Reducing stack by rule 14 (line 876):
$1 = nterm base_cmd (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 45
Reducing stack by rule 2 (line 809):
$1 = nterm input (: )
$2 = nterm line (: )
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
/etc/fw/test.conf:1:1-2: Evaluate add
table ip6 nat {
^^
/etc/fw/test.conf:3:51-54: Evaluate value
type nat hook prerouting priority -100; policy accept;
^^^^
4294967196
/etc/fw/test.conf:3:64-69: Evaluate value
type nat hook prerouting priority -100; policy accept;
^^^^^^
1
/etc/fw/test.conf:7:46-48: Evaluate value
type nat hook input priority 100; policy accept;
^^^
100
/etc/fw/test.conf:7:58-63: Evaluate value
type nat hook input priority 100; policy accept;
^^^^^^
1
/etc/fw/test.conf:11:47-50: Evaluate value
type nat hook output priority -100; policy accept;
^^^^
4294967196
/etc/fw/test.conf:11:60-65: Evaluate value
type nat hook output priority -100; policy accept;
^^^^^^
1
/etc/fw/test.conf:15:52-54: Evaluate value
type nat hook postrouting priority 100; policy accept;
^^^
100
/etc/fw/test.conf:15:64-69: Evaluate value
type nat hook postrouting priority 100; policy accept;
^^^^^^
1
ip6 nat prerouting use 0 type nat hook prerouting prio -100 policy accept packets 0 bytes 0
ip6 nat input use 0 type nat hook input prio 100 policy accept packets 0 bytes 0
ip6 nat output use 0 type nat hook output prio -100 policy accept packets 0 bytes 0
ip6 nat postrouting use 0 type nat hook postrouting prio 100 policy accept packets 0 bytes 0
---------------- ------------------
| 0000000020 | | message length |
| 00016 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 0a 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000036 | | message length |
| 02560 | R--- | | type | flags |
| 0000000001 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 0a 00 00 00 | | extra header |
|00008|--|00001| |len |flags| type|
| 6e 61 74 00 | | data | n a t
|00008|--|00002| |len |flags| type|
| 00 00 00 00 | | data |
---------------- ------------------
---------------- ------------------
| 0000000080 | | message length |
| 02563 | R--- | | type | flags |
| 0000000002 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 0a 00 00 00 | | extra header |
|00008|--|00001| |len |flags| type|
| 6e 61 74 00 | | data | n a t
|00015|--|00003| |len |flags| type|
| 70 72 65 72 | | data | p r e r
| 6f 75 74 69 | | data | o u t i
| 6e 67 00 00 | | data | n g
|00020|N-|00004| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 00 | | data |
|00008|--|00002| |len |flags| type|
| ff ff ff 9c | | data |
|00008|--|00005| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00007| |len |flags| type|
| 6e 61 74 00 | | data | n a t
---------------- ------------------
---------------- ------------------
| 0000000076 | | message length |
| 02563 | R--- | | type | flags |
| 0000000003 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 0a 00 00 00 | | extra header |
|00008|--|00001| |len |flags| type|
| 6e 61 74 00 | | data | n a t
|00010|--|00003| |len |flags| type|
| 69 6e 70 75 | | data | i n p u
| 74 00 00 00 | | data | t
|00020|N-|00004| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00002| |len |flags| type|
| 00 00 00 64 | | data | d
|00008|--|00005| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00007| |len |flags| type|
| 6e 61 74 00 | | data | n a t
---------------- ------------------
---------------- ------------------
| 0000000076 | | message length |
| 02563 | R--- | | type | flags |
| 0000000004 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 0a 00 00 00 | | extra header |
|00008|--|00001| |len |flags| type|
| 6e 61 74 00 | | data | n a t
|00011|--|00003| |len |flags| type|
| 6f 75 74 70 | | data | o u t p
| 75 74 00 00 | | data | u t
|00020|N-|00004| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 03 | | data |
|00008|--|00002| |len |flags| type|
| ff ff ff 9c | | data |
|00008|--|00005| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00007| |len |flags| type|
| 6e 61 74 00 | | data | n a t
---------------- ------------------
---------------- ------------------
| 0000000080 | | message length |
| 02563 | R--- | | type | flags |
| 0000000005 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 0a 00 00 00 | | extra header |
|00008|--|00001| |len |flags| type|
| 6e 61 74 00 | | data | n a t
|00016|--|00003| |len |flags| type|
| 70 6f 73 74 | | data | p o s t
| 72 6f 75 74 | | data | r o u t
| 69 6e 67 00 | | data | i n g
|00020|N-|00004| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 04 | | data |
|00008|--|00002| |len |flags| type|
| 00 00 00 64 | | data | d
|00008|--|00005| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00007| |len |flags| type|
| 6e 61 74 00 | | data | n a t
---------------- ------------------
/etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or directory
chain prerouting {
^^^^^^^^^^
/etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or directory
chain input {
^^^^^
/etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or directory
chain output {
^^^^^^
/etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or directory
chain postrouting {
^^^^^^^^^^^
[-- Attachment #1.1.3: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-23 23:11 ` ѽ҉ᶬḳ℠
@ 2020-06-24 8:14 ` Florian Westphal
2020-06-24 8:47 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Florian Westphal @ 2020-06-24 8:14 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠
Cc: netfilter@vger.kernel.org, Florian Westphal
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Afraid, neither variation works, each throwing
>
> /etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or
> directory
> chain prerouting {
> ^^^^^^^^^^
> /etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or
> directory
> chain input {
> ^^^^^
> /etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or
> directory
> chain output {
> ^^^^^^
> /etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or
> directory
> chain postrouting {
> ^^^^^^^^^^^
>
> Don't know whether txt attachments are accepted on this ML but enclosed full
> debug output (if its gets through), through it does not seem to reveal
> anything useful?
No.
> Could this be a bug in the kernel?
Its a kernel bug, or misconfiguration. Nat hook is provided via
modinfo nft_chain_nat
filename:
/lib/modules/5.6.18/kernel/net/netfilter/nft_chain_nat.ko.gz
alias: nft-chain-1-nat
alias: nft-chain-10-nat
alias: nft-chain-2-nat
license: GPL
srcversion: 45E82B99D3993871BD6131E
depends: nf_nat,nf_tables
intree: Y
name: nft_chain_nat
vermagic: 5.6.18 SMP preempt mod_unload modversions
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-24 8:14 ` Florian Westphal
@ 2020-06-24 8:47 ` ѽ҉ᶬḳ℠
2020-06-24 8:53 ` Florian Westphal
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-24 8:47 UTC (permalink / raw)
To: netfilter@vger.kernel.org; +Cc: Florian Westphal
[-- Attachment #1.1.1: Type: text/plain, Size: 2680 bytes --]
On 24/06/2020 08:14, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> Afraid, neither variation works, each throwing
>>
>> /etc/fw/test.conf:2:15-24: Error: Could not process rule: No such file or
>> directory
>> chain prerouting {
>> ^^^^^^^^^^
>> /etc/fw/test.conf:6:15-19: Error: Could not process rule: No such file or
>> directory
>> chain input {
>> ^^^^^
>> /etc/fw/test.conf:10:15-20: Error: Could not process rule: No such file or
>> directory
>> chain output {
>> ^^^^^^
>> /etc/fw/test.conf:14:15-25: Error: Could not process rule: No such file or
>> directory
>> chain postrouting {
>> ^^^^^^^^^^^
>>
>> Don't know whether txt attachments are accepted on this ML but enclosed full
>> debug output (if its gets through), through it does not seem to reveal
>> anything useful?
> No.
>
>> Could this be a bug in the kernel?
> Its a kernel bug, or misconfiguration. Nat hook is provided via
>
> modinfo nft_chain_nat
> filename:
> /lib/modules/5.6.18/kernel/net/netfilter/nft_chain_nat.ko.gz
> alias: nft-chain-1-nat
> alias: nft-chain-10-nat
> alias: nft-chain-2-nat
> license: GPL
> srcversion: 45E82B99D3993871BD6131E
> depends: nf_nat,nf_tables
> intree: Y
> name: nft_chain_nat
> vermagic: 5.6.18 SMP preempt mod_unload modversions
Getting somewhere now, unless there are different kconf flags in 5.6 for
building that module, least on this node with 5.4:
modinfo: ERROR: Module alias nft_chain_nat not found.
Which kconf flag is supposed to generate that particular module? Looked
into https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig
but could not find something specific that builds that module.
This node's repo ships:
kmod-nft-core:
/lib/modules/5.4.48/nft_reject.ko
/lib/modules/5.4.48/nft_reject_ipv4.ko
/lib/modules/5.4.48/nf_tables_set.ko
/lib/modules/5.4.48/nft_numgen.ko
/lib/modules/5.4.48/nft_counter.ko
/lib/modules/5.4.48/nft_reject_ipv6.ko
/lib/modules/5.4.48/nft_ct.ko
/lib/modules/5.4.48/nf_tables.ko
/lib/modules/5.4.48/nft_redir.ko
/lib/modules/5.4.48/nft_limit.ko
/lib/modules/5.4.48/nft_hash.ko
/lib/modules/5.4.48/nft_objref.ko
/lib/modules/5.4.48/nft_reject_inet.ko
/lib/modules/5.4.48/nft_quota.ko
/lib/modules/5.4.48/nft_log.ko
kmod-nft-nat:
/lib/modules/5.4.48/nft_masq.ko
/lib/modules/5.4.48/nft_nat.ko
kmod-nft-nat6:
appears to be an empty package
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-24 8:47 ` ѽ҉ᶬḳ℠
@ 2020-06-24 8:53 ` Florian Westphal
2020-06-24 8:59 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Florian Westphal @ 2020-06-24 8:53 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠
Cc: netfilter@vger.kernel.org, Florian Westphal
ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Getting somewhere now, unless there are different kconf flags in 5.6 for
> building that module, least on this node with 5.4:
>
> modinfo: ERROR: Module alias nft_chain_nat not found.
>
> Which kconf flag is supposed to generate that particular module? Looked into
> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
> not find something specific that builds that module.
https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
-> CONFIG_NFT_NAT
... which you seem to have enabled already.
So I would guess that the build system used doesn't pick the module up
for some reason.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-24 8:53 ` Florian Westphal
@ 2020-06-24 8:59 ` ѽ҉ᶬḳ℠
2020-06-25 1:45 ` Duncan Roe
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-24 8:59 UTC (permalink / raw)
To: netfilter@vger.kernel.org; +Cc: Florian Westphal
[-- Attachment #1.1.1: Type: text/plain, Size: 862 bytes --]
On 24/06/2020 08:53, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>
>> Getting somewhere now, unless there are different kconf flags in 5.6 for
>> building that module, least on this node with 5.4:
>>
>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>
>> Which kconf flag is supposed to generate that particular module? Looked into
>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
>> not find something specific that builds that module.
> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>
> -> CONFIG_NFT_NAT
>
> ... which you seem to have enabled already.
> So I would guess that the build system used doesn't pick the module up
> for some reason.
Thank you for the assistance. Will take it up with the distro
maintainers to take a look at their build system.
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-24 8:59 ` ѽ҉ᶬḳ℠
@ 2020-06-25 1:45 ` Duncan Roe
2020-06-25 7:13 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: Duncan Roe @ 2020-06-25 1:45 UTC (permalink / raw)
To: ?????????????; +Cc: netfilter@vger.kernel.org, Florian Westphal
On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
> On 24/06/2020 08:53, Florian Westphal wrote:
> > ????????????? <vtol@gmx.net> wrote:
> > > Getting somewhere now, unless there are different kconf flags in 5.6 for
> > > building that module, least on this node with 5.4:
> > >
> > > modinfo: ERROR: Module alias nft_chain_nat not found.
> > >
> > > Which kconf flag is supposed to generate that particular module? Looked into
> > > https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
> > > not find something specific that builds that module.
> > https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
> >
> > -> CONFIG_NFT_NAT
> >
> > ... which you seem to have enabled already.
> > So I would guess that the build system used doesn't pick the module up
> > for some reason.
>
> Thank you for the assistance. Will take it up with the distro maintainers to
> take a look at their build system.
What is your distro BTW?
In the meantime, maybe a depmod would help, if you haven't already tried that.
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-25 1:45 ` Duncan Roe
@ 2020-06-25 7:13 ` ѽ҉ᶬḳ℠
2020-06-25 8:45 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-25 7:13 UTC (permalink / raw)
To: netfilter@vger.kernel.org
[-- Attachment #1.1.1: Type: text/plain, Size: 1379 bytes --]
On 25/06/2020 01:45, Duncan Roe wrote:
> On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
>> On 24/06/2020 08:53, Florian Westphal wrote:
>>> ????????????? <vtol@gmx.net> wrote:
>>>> Getting somewhere now, unless there are different kconf flags in 5.6 for
>>>> building that module, least on this node with 5.4:
>>>>
>>>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>>>
>>>> Which kconf flag is supposed to generate that particular module? Looked into
>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig but could
>>>> not find something specific that builds that module.
>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>>>
>>> -> CONFIG_NFT_NAT
>>>
>>> ... which you seem to have enabled already.
>>> So I would guess that the build system used doesn't pick the module up
>>> for some reason.
>> Thank you for the assistance. Will take it up with the distro maintainers to
>> take a look at their build system.
> What is your distro BTW?
OpenWrt, whilst revolving around routers it is not NFT centric.
>
> In the meantime, maybe a depmod would help, if you haven't already tried that.
>
> Cheers ... Duncan.
Does not work with the distro as it does not provide the necessary
directories /lib/modules/$(uname -r)/modules.order and
/lib/modules/$(uname -r)/modules.builtin
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-25 7:13 ` ѽ҉ᶬḳ℠
@ 2020-06-25 8:45 ` ѽ҉ᶬḳ℠
2020-06-26 3:28 ` Duncan Roe
0 siblings, 1 reply; 15+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-06-25 8:45 UTC (permalink / raw)
To: netfilter@vger.kernel.org
[-- Attachment #1.1.1: Type: text/plain, Size: 2318 bytes --]
On 25/06/2020 07:13, ѽ҉ᶬḳ℠ wrote:
>
> On 25/06/2020 01:45, Duncan Roe wrote:
>> On Wed, Jun 24, 2020 at 08:59:00AM +0000, ????????????? wrote:
>>> On 24/06/2020 08:53, Florian Westphal wrote:
>>>> ????????????? <vtol@gmx.net> wrote:
>>>>> Getting somewhere now, unless there are different kconf flags in
>>>>> 5.6 for
>>>>> building that module, least on this node with 5.4:
>>>>>
>>>>> modinfo: ERROR: Module alias nft_chain_nat not found.
>>>>>
>>>>> Which kconf flag is supposed to generate that particular module?
>>>>> Looked into
>>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig
>>>>> but could
>>>>> not find something specific that builds that module.
>>>> https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Makefile
>>>>
>>>> -> CONFIG_NFT_NAT
>>>>
>>>> ... which you seem to have enabled already.
>>>> So I would guess that the build system used doesn't pick the module up
>>>> for some reason.
>>> Thank you for the assistance. Will take it up with the distro
>>> maintainers to
>>> take a look at their build system.
>> What is your distro BTW?
>
> OpenWrt, whilst revolving around routers it is not NFT centric.
>
>>
>> In the meantime, maybe a depmod would help, if you haven't already
>> tried that.
>>
>> Cheers ... Duncan.
>
> Does not work with the distro as it does not provide the necessary
> directories /lib/modules/$(uname -r)/modules.order and
> /lib/modules/$(uname -r)/modules.builtin
Alternatively there is - oddly none exhibiting a dependency on
nft_chain_nat:
ls /lib/modules/$(uname -r) | grep nat
iptable_nat.ko
nf_nat.ko
nf_nat_amanda.ko
nf_nat_ftp.ko
nf_nat_h323.ko
nf_nat_irc.ko
nf_nat_pptp.ko
nf_nat_sip.ko
nf_nat_snmp_basic.ko
nf_nat_tftp.ko
nft_nat.ko
xt_nat.ko
modprobe -D nf_nat
insmod /lib/modules/5.4.48/nf_defrag_ipv4.ko
insmod /lib/modules/5.4.48/nf_defrag_ipv6.ko
insmod /lib/modules/5.4.48/nf_conntrack.ko
insmod /lib/modules/5.4.48/nf_nat.ko
modprobe -D nft_nat
insmod /lib/modules/5.4.48/nf_defrag_ipv4.ko
insmod /lib/modules/5.4.48/nf_defrag_ipv6.ko
insmod /lib/modules/5.4.48/nf_conntrack.ko
insmod /lib/modules/5.4.48/nf_nat.ko
insmod /lib/modules/5.4.48/nfnetlink.ko
insmod /lib/modules/5.4.48/nf_tables.ko
insmod /lib/modules/5.4.48/nft_nat.ko
[-- Attachment #1.1.2: OpenPGP_0xF4F735931F05C5CE.asc --]
[-- Type: application/pgp-keys, Size: 3155 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work
2020-06-25 8:45 ` ѽ҉ᶬḳ℠
@ 2020-06-26 3:28 ` Duncan Roe
0 siblings, 0 replies; 15+ messages in thread
From: Duncan Roe @ 2020-06-26 3:28 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On Thu, Jun 25, 2020 at 08:45:00AM +0000, ????????????? wrote:
> On 25/06/2020 07:13, ????????????? wrote:
[...]
> >
> > OpenWrt, whilst revolving around routers it is not NFT centric.
> >
[...]
> >
> > Does not work with the distro as it does not provide the necessary
> > directories /lib/modules/$(uname -r)/modules.order and
> > /lib/modules/$(uname -r)/modules.builtin
That is odd. The 2 files are approx 130KB and 13KB and are always produced in a
kernel build.
>
> Alternatively there is - oddly none exhibiting a dependency on
> nft_chain_nat:
>
nft_chain_nat depends on nf_nat & nf_tables, not vice versa.
The kernel loads it in respone to the netlink message generated by
> nft 'add chain inet nat prerouting...
I can't reproduce what you see even with these revisions:
# nft --version
nftables v0.9.3 (Topsy)
# ls -1 /usr/lib64/libnftnl*
/usr/lib64/libnftnl.so
/usr/lib64/libnftnl.so.11
/usr/lib64/libnftnl.so.11.2.0
# uname -r
5.4.48
If you modprobe nft_chain_nat as part of the boot process, you should of course
be fine.
To explore the problem further, I would build a 5.4.48 kernel from kernel.org
source, using the .config you have. As long as you have a spare 6G disc space,
you gould git clone
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (6GB allows for a
build).
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-06-26 3:28 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-23 20:38 [nft 0.9.3 | kernel 5.4.48] cannot get NAT to work ѽ҉ᶬḳ℠
2020-06-23 21:23 ` Florian Westphal
2020-06-23 21:34 ` ѽ҉ᶬḳ℠
2020-06-23 21:52 ` Florian Westphal
2020-06-23 22:12 ` ѽ҉ᶬḳ℠
2020-06-23 22:48 ` Florian Westphal
2020-06-23 23:11 ` ѽ҉ᶬḳ℠
2020-06-24 8:14 ` Florian Westphal
2020-06-24 8:47 ` ѽ҉ᶬḳ℠
2020-06-24 8:53 ` Florian Westphal
2020-06-24 8:59 ` ѽ҉ᶬḳ℠
2020-06-25 1:45 ` Duncan Roe
2020-06-25 7:13 ` ѽ҉ᶬḳ℠
2020-06-25 8:45 ` ѽ҉ᶬḳ℠
2020-06-26 3:28 ` Duncan Roe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox