issue with nftable - goto : Operation not supported

issue with nftable - goto : Operation not supported

[leroy christophe]

Using nft, i'm trying to jump to another table from the end of a table 
and I get the following error.

root@localhost:~# nft add rule filter input  goto accs
<cmdline>:1:1-31: Error: Could not process rule: Operation not supported
add rule filter input goto accs
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

What could be the reason ?

I'm using
* nftables-20141121
* gmp-4.3.2
* libmnl-1.0.3
* libnfnetlink-1.0.1
* libnftnl-20141121
* libnetfilter_conntrack-1.0.4

Christophe

Re: issue with nftable - goto : Operation not supported

[Pablo Neira Ayuso]

On Tue, Nov 25, 2014 at 06:29:53PM +0100, leroy christophe wrote:
> Using nft, i'm trying to jump to another table from the end of a
> table and I get the following error.
> 
> root@localhost:~# nft add rule filter input  goto accs
> <cmdline>:1:1-31: Error: Could not process rule: Operation not supported
> add rule filter input goto accs
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> What could be the reason ?
> 
> I'm using
> * nftables-20141121
> * gmp-4.3.2
> * libmnl-1.0.3
> * libnfnetlink-1.0.1
> * libnftnl-20141121
> * libnetfilter_conntrack-1.0.4

Kernel version?

Could you run this command with strace:

strace nft add rule ...

Could you post the relevant part of your ruleset (table and chain
configuration)?

Thanks.

Re: issue with nftable - goto : Operation not supported

[leroy christophe]

Le 26/11/2014 14:00, Pablo Neira Ayuso a écrit :
> On Tue, Nov 25, 2014 at 06:29:53PM +0100, leroy christophe wrote:
>> Using nft, i'm trying to jump to another table from the end of a
>> table and I get the following error.
>>
>> root@localhost:~# nft add rule filter input  goto accs
>> <cmdline>:1:1-31: Error: Could not process rule: Operation not supported
>> add rule filter input goto accs
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> What could be the reason ?
>>
>> I'm using
>> * nftables-20141121
>> * gmp-4.3.2
>> * libmnl-1.0.3
>> * libnfnetlink-1.0.1
>> * libnftnl-20141121
>> * libnetfilter_conntrack-1.0.4
> Kernel version?
3.17.4
>
> Could you run this command with strace:
>
> strace nft add rule ...
See at the end
>
> Could you post the relevant part of your ruleset (table and chain
> configuration)?
root@vgoip:~# nft list table filter
table ip filter {
         chain forward {
                  type filter hook forward priority 0;
                  drop
         }
}

root@vgoip:~# ./mynft.sh start
+ echo Starting NFTABLES test ...
Starting NFTABLES test ...
+ Start
+ nft add chain ip filter rej { type filter hook input priority 20 ; }
+ nft add rule filter rej ip saddr 192.168.2.0/24 reject with icmp type 
host-prohibited
+ nft add rule filter rej drop
+ nft add chain ip filter test { type filter hook input priority 10 ; }
+ nft add rule filter test meta oifname lo accept
+ nft add rule filter test icmp type echo-request ip saddr 192.168.2.1 
accept
+ nft add rule filter test icmp type {echo-request,timestamp-request} 
goto rej
<cmdline>:1:1-72: Error: Could not process rule: Operation not supported
add rule filter test icmp type {echo-request,timestamp-request} goto rej
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ nft add rule filter test ct state {established, related} accept
+ nft add rule filter test ct state new tcp dport 22 ip saddr 
192.168.2.1 accept
+ nft add rule filter test goto rej
<cmdline>:1:1-29: Error: Could not process rule: Operation not supported
add rule filter test goto rej
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ return 0
+ Result=0
+ echo Done
Done
+ exit 0

root@vgoip:~# nft list table filter
table ip filter {
         chain forward {
                  type filter hook forward priority 0;
                  drop
         }

         chain rej {
                  type filter hook input priority 20;
                  ip saddr 192.168.2.0/24 reject with icmp type 10
                  drop
         }

         chain test {
                  type filter hook input priority 10;
                  oifname "lo" accept
                  unknown unknown 0x8 [invalid type] ip saddr 
192.168.2.1 accept
                  ct state { 4, 2} accept
                  ct state 8 unknown unknown 0x16 [invalid type] ip 
saddr 192.168.2.1 accept
         }
}

root@vgoip:~# strace -f nft add rule filter test goto rej
execve("/usr/sbin/nft", ["nft", "add", "rule", "filter", "test", "goto", 
"rej"], [/* 10 vars */]) = 0
brk(0)                                  = 0x10069000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or 
directory)
open("/usr/lib/tls/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT 
(No such file or directory)
stat64("/usr/lib/tls/ppc823", 0x7fecc6b8) = -1 ENOENT (No such file or 
directory)
open("/usr/lib/tls/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No 
such file or directory)
stat64("/usr/lib/tls", 0x7fecc6b8)      = -1 ENOENT (No such file or 
directory)
open("/usr/lib/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No 
such file or directory)
stat64("/usr/lib/ppc823", 0x7fecc6b8)   = -1 ENOENT (No such file or 
directory)
open("/usr/lib/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
file or directory)
stat64("/usr/lib", {st_mode=S_IFDIR|0755, st_size=912, ...}) = 0
open("/lib/tls/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No 
such file or directory)
stat64("/lib/tls/ppc823", 0x7fecc6b8)   = -1 ENOENT (No such file or 
directory)
open("/lib/tls/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
file or directory)
stat64("/lib/tls", 0x7fecc6b8)          = -1 ENOENT (No such file or 
directory)
open("/lib/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
file or directory)
stat64("/lib/ppc823", 0x7fecc6b8)       = -1 ENOENT (No such file or 
directory)
open("/lib/libmnl.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0\23\264\0\0\0004"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=18666, ...}) = 0
mmap(0xffdc000, 78792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xffdc000
mprotect(0xffe0000, 61440, PROT_NONE)   = 0
mmap(0xffef000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0xffef000
close(3)                                = 0
open("/usr/lib/libnftnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
file or directory)
open("/lib/libnftnl.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0V\350\0\0\0004"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=130461, ...}) = 0
mmap(0xffa1000, 174260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xffa1000
mprotect(0xffbb000, 61440, PROT_NONE)   = 0
mmap(0xffca000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0xffca000
close(3)                                = 0
open("/usr/lib/libgmp.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
file or directory)
open("/lib/libgmp.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0s\300\0\0\0004"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=368473, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x77ced000
mmap(0xff2b000, 414688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xff2b000
mprotect(0xff80000, 61440, PROT_NONE)   = 0
mmap(0xff8f000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x54000) = 0xff8f000
mmap(0xff90000, 992, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xff90000
close(3)                                = 0
open("/usr/lib/libncurses.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No 
such file or directory)
open("/lib/libncurses.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0\301d\0\0\0004"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=284121, ...}) = 0
mmap(0xfecc000, 322280, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xfecc000
mprotect(0xff05000, 65536, PROT_NONE)   = 0
mmap(0xff15000, 20480, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x39000) = 0xff15000
mmap(0xff1a000, 2792, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xff1a000
close(3)                                = 0
open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file 
or directory)
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\2\16t\0\0\0004"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1746172, ...}) = 0
mmap(0xfd36000, 1596552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xfd36000
mprotect(0xfea4000, 65536, PROT_NONE)   = 0
mmap(0xfeb4000, 24576, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0xfeb4000
mmap(0xfeba000, 7304, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xfeba000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x77cec000
mprotect(0xfeb4000, 8192, PROT_READ)    = 0
mprotect(0x77cee000, 4096, PROT_READ)   = 0
brk(0)                                  = 0x10069000
brk(0x1008a000)                         = 0x1008a000
socket(PF_NETLINK, SOCK_RAW, 12)        = 3
fcntl64(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
open("/etc/xtables/connlabel.conf", O_RDONLY) = -1 ENOENT (No such file 
or directory)
open("/etc/iproute2/group", O_RDONLY)   = -1 ENOENT (No such file or 
directory)
open("/etc/iproute2/rt_realms", O_RDONLY) = -1 ENOENT (No such file or 
directory)
open("/etc/iproute2/rt_marks", O_RDONLY) = -1 ENOENT (No such file or 
directory)
sendto(3, 
"\0\0\0\24\0\20\0\1\0\0\0\0\0\0\0\0\2\0\0\n\0\0\0\24\n\t\0\5\0\0\0\1"..., 60, 
0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 60
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, 
msg_iov(1)=[{"\0\0\0(\0\2\0\0\0\0\0\1\0\0\1\327\377\377\377\352\0\0\0\24\n\t\0\5\0\0\0\1"..., 
4096}], msg_controllen=0, msg_flags=0}, 0) = 40
sendto(3, "\0\0\0\24\n\20\0\1\0\0\0\3\0\0\0\0\0\0\0\0", 20, 0, 
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, 
msg_iov(1)=[{"\0\0\0(\0\2\0\0\0\0\0\3\0\0\1\327\377\377\377\352\0\0\0\24\n\20\0\1\0\0\0\3"..., 
69631}], msg_controllen=0, msg_flags=0}, 0) = 40
mmap(NULL, 204800, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x77c8d000
setsockopt(3, SOL_SOCKET, 0x20 /* SO_??? */, [131072], 4) = 0
sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, 
msg_iov(1)=[{"\0\0\0\24\0\20\0\1\0\0\0\3\0\0\0\0\0\0\0\n\0\0\0h\n\6\16\1\0\0\0\4"..., 
144}], msg_controllen=0, msg_flags=0}, 0) = 144
select(4, [3], NULL, NULL, {0, 0})      = 1 (in [3], left {0, 0})
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, 
msg_iov(1)=[{"\0\0\0|\0\2\0\0\0\0\0\4\0\0\1\327\377\377\377\241\0\0\0h\n\6\16\1\0\0\0\4"..., 
4096}], msg_controllen=0, msg_flags=0}, 0) = 124
select(4, [3], NULL, NULL, {0, 0})      = 0 (Timeout)
munmap(0x77c8d000, 204800)              = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(204, 46), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x77ceb000
write(1, "<cmdline>:1:1-29: Error: Could n"..., 73<cmdline>:1:1-29: 
Error: Could not process rule: Operation not supported
) = 73
write(1, "add rule filter test goto rej\n", 30add rule filter test goto rej
) = 30
write(1, "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n", 30^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
) = 30
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++

Re: issue with nftable - goto : Operation not supported

[Pablo Neira Ayuso]

On Wed, Nov 26, 2014 at 06:15:38PM +0100, leroy christophe wrote:
> 
> Le 26/11/2014 14:00, Pablo Neira Ayuso a écrit :
> >On Tue, Nov 25, 2014 at 06:29:53PM +0100, leroy christophe wrote:
> >>Using nft, i'm trying to jump to another table from the end of a
> >>table and I get the following error.
> >>
> >>root@localhost:~# nft add rule filter input  goto accs
> >><cmdline>:1:1-31: Error: Could not process rule: Operation not supported
> >>add rule filter input goto accs
> >>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>
> >>What could be the reason ?
> >>
> >>I'm using
> >>* nftables-20141121
> >>* gmp-4.3.2
> >>* libmnl-1.0.3
> >>* libnfnetlink-1.0.1
> >>* libnftnl-20141121
> >>* libnetfilter_conntrack-1.0.4
> >Kernel version?
> 3.17.4
> >
> >Could you run this command with strace:
> >
> >strace nft add rule ...
> See at the end
> >
> >Could you post the relevant part of your ruleset (table and chain
> >configuration)?
> root@vgoip:~# nft list table filter
> table ip filter {
>         chain forward {
>                  type filter hook forward priority 0;
>                  drop
>         }
> }
> 
> root@vgoip:~# ./mynft.sh start

Use 'nft -f file' to load your ruleset instead of scripts.  Otherwise
the rule-set is not loaded atomically, and it will also take longer to
load your ruleset.

Please, help spread the word, people should use nft -f.

> + echo Starting NFTABLES test ...
> Starting NFTABLES test ...
> + Start
> + nft add chain ip filter rej { type filter hook input priority 20 ; }
> + nft add rule filter rej ip saddr 192.168.2.0/24 reject with icmp
> type host-prohibited
> + nft add rule filter rej drop
> + nft add chain ip filter test { type filter hook input priority 10 ; }
> + nft add rule filter test meta oifname lo accept
> + nft add rule filter test icmp type echo-request ip saddr
> 192.168.2.1 accept
> + nft add rule filter test icmp type
> {echo-request,timestamp-request} goto rej
> <cmdline>:1:1-72: Error: Could not process rule: Operation not supported
> add rule filter test icmp type {echo-request,timestamp-request} goto rej
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You cannot 'goto' a base chain, note that 'rej' is a base chain.

+ nft add chain ip filter rej { type filter hook input priority 20 ; }

I guess your intention was to define this as a non-base chain, ie.

 nft add chain ip filter rej

Note that non-base chain don't see any traffic unless there is a rule
that jumpto/goto it.

Re: issue with nftable - goto : Operation not supported

[leroy christophe]

Le 26/11/2014 18:47, Pablo Neira Ayuso a écrit :
> Use 'nft -f file' to load your ruleset instead of scripts. Otherwise 
> the rule-set is not loaded atomically, and it will also take longer to 
> load your ruleset. Please, help spread the word, people should use nft -f.

I wanted to use 'nft -f' at the begining but I faced some issues.

How is 'nft -f' to be used ? Does it takes as input the output of 'nft 
list table filter' ?

I tried it, it adds rules but doesn't remove the previous ones. How can 
I replace previous rules in one go with 'nft -f' ?

How can it interpret the below output which seems buggy ?

root@vgoip:~# nft list table filter
table ip filter {
         chain input {
                  type filter hook input priority 0;
                  oifname "lo" accept
                  ip protocol icmp accept
                  ct state 8 unknown unknown 0x16 [invalid type] accept
                  ct state { 4, 2} accept
                  reject with icmp type 10
         }

         chain forward {
                  type filter hook forward priority 0;
                  drop
         }
}

Looks like it dumps using numeric values, but crashes when trying to use 
those numeric values

root@vgoip:~# nft add rule filter input ct state { 4, 2} accept
Segmentation fault (core dumped)

https://wiki.archlinux.org/index.php/nftables says that "nft -f" is not 
atomic. Is it wrong ?

Re: issue with nftable - goto : Operation not supported

[Pablo Neira Ayuso]

On Wed, Nov 26, 2014 at 07:00:14PM +0100, leroy christophe wrote:
> 
> Le 26/11/2014 18:47, Pablo Neira Ayuso a écrit :
> >Use 'nft -f file' to load your ruleset instead of scripts.
> >Otherwise the rule-set is not loaded atomically, and it will also
> >take longer to load your ruleset. Please, help spread the word,
> >people should use nft -f.
> 
> I wanted to use 'nft -f' at the begining but I faced some issues.
> 
> How is 'nft -f' to be used ? Does it takes as input the output of
> 'nft list table filter' ?

Yes.

> I tried it, it adds rules but doesn't remove the previous ones. How
> can I replace previous rules in one go with 'nft -f' ?

You have to prepend:

 flush table filter

to the output of 'nft list table filter'.

Since 3.18, you can also use:

 flush ruleset

that removes everything, including the existing table and chain
configuration.

http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

> How can it interpret the below output which seems buggy ?
> 
> root@vgoip:~# nft list table filter
> table ip filter {
>         chain input {
>                  type filter hook input priority 0;
>                  oifname "lo" accept
>                  ip protocol icmp accept
>                  ct state 8 unknown unknown 0x16 [invalid type] accept
>                  ct state { 4, 2} accept
>                  reject with icmp type 10
>         }

What is the original ruleset you loaded? This should not happen. Any
relevant information regarding your testbed?

>         chain forward {
>                  type filter hook forward priority 0;
>                  drop
>         }
> }
> 
> Looks like it dumps using numeric values, but crashes when trying to
> use those numeric values
> 
> root@vgoip:~# nft add rule filter input ct state { 4, 2} accept
> Segmentation fault (core dumped)
> 
> https://wiki.archlinux.org/index.php/nftables says that "nft -f" is
> not atomic. Is it wrong ?

Yes, I just fixed that and made a quick review to that wiki page.
Please, better look at the nftables wiki page:

http://wiki.nftables.org

Re: issue with nftable - goto : Operation not supported

[stoffl4ever]

On 26.11.2014 19:13, Pablo Neira Ayuso wrote:
>> > I tried it, it adds rules but doesn't remove the previous ones. How
>> > can I replace previous rules in one go with 'nft -f' ?
> You have to prepend:
>
>  flush table filter
>
> to the output of 'nft list table filter'.
>
> Since 3.18, you can also use:
>
>  flush ruleset
>
> that removes everything, including the existing table and chain
> configuration.
Also named sets?
I was running into this before that sets are not removed when only using:
flush table filter

Re: issue with nftable - goto : Operation not supported

[Arturo Borrero Gonzalez]

On 26 November 2014 at 22:45, stoffl4ever <stoffl4ever@gmail.com> wrote:
> On 26.11.2014 19:13, Pablo Neira Ayuso wrote:
>>> > I tried it, it adds rules but doesn't remove the previous ones. How
>>> > can I replace previous rules in one go with 'nft -f' ?
>> You have to prepend:
>>
>>  flush table filter
>>
>> to the output of 'nft list table filter'.
>>
>> Since 3.18, you can also use:
>>
>>  flush ruleset
>>
>> that removes everything, including the existing table and chain
>> configuration.
> Also named sets?
> I was running into this before that sets are not removed when only using:
> flush table filter

Yes, flush ruleset will fully wipe all the ruleset, including rules,
chains, sets, and tables.

-- 
Arturo Borrero Gonz√°lez

Re: issue with nftable - goto : Operation not supported

[leroy christophe]

Le 26/11/2014 19:13, Pablo Neira Ayuso a écrit :
>> How can it interpret the below output which seems buggy ?
>>
>> root@vgoip:~# nft list table filter
>> table ip filter {
>>          chain input {
>>                   type filter hook input priority 0;
>>                   oifname "lo" accept
>>                   ip protocol icmp accept
>>                   ct state 8 unknown unknown 0x16 [invalid type] accept
>>                   ct state { 4, 2} accept
>>                   reject with icmp type 10
>>          }
> What is the original ruleset you loaded? This should not happen. Any
> relevant information regarding your testbed?
Ruleset is:
nft add table ip filter
nft add chain ip filter input { type filter hook input priority 0 \; }
nft add rule filter input meta oifname lo accept
nft add rule filter input ip protocol icmp accept
nft add rule filter input ct state new tcp dport 22 accept
nft add rule filter input ct state {established, related} accept
nft add rule filter input reject with icmp type host-prohibited

Target is a powerpc
All building is done on a x86 PC, using home built cross-compile gnu 
tools (binutils, gcc, glibc, ....)

I just ran 'nft' with gdb, and I have seen something wrong with byte 
ordering.
It looks like in symbolic_constant_print(), mpz_export_data() return a 
strange val.
First time we get there, we get 0x800000000
Next time, we get 0x400000000
Last time, we get 0x200000000
While we expect 8(new), 4(related), 2(established)

Any idea on how I can fix that ?

Kernel 3.17.4
nftables-20141121
gmp-4.3.2
libmnl-1.0.3
libnfnetlink-1.0.1
libnftnl-20141121
libnetfilter_conntrack-1.0.4

Christophe