netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Implicit add conflicts with declarative add
       [not found] <1130f6aa-3c98-4960-879b-27f6ab054313.ref@sbcglobal.net>
@ 2025-08-20 18:39 ` S Egbert
  2025-08-21 17:41   ` Gordon Fisher
  0 siblings, 1 reply; 2+ messages in thread
From: S Egbert @ 2025-08-20 18:39 UTC (permalink / raw)
  To: netfilter

Take the following NFT snippet:

     add table ip table_id             # imperative
     add chain ip table_id chain_id    # imperative???

     table ip table_id {
         chain chain_id {              # declarative
             type nat hook input priority 0; policy drop;
             ip daddr 192.168.1.100 dnat to 192.168.1.200;
         };
     };

Fails with:


     add-chain.tp.nft:6:9-38: Error: Chain of type "nat" is not 
supported, perhaps kernel support is missing?
             type nat hook input priority 0; policy drop;
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


BUT, remove the 'add chain' lines, and `nft -c` exit code becomes a 0 
(success).

I see what I did wrong:

1. forgot to specify the correct chain type ... 2nd time (imperative), 
or define the correct chain type during the declarative stage
2. type/hook must align between 'add chain' imperative and 'table-chain' 
declarative
3. drop the 'add chain'

but the error message mmmm could be a bit more concise.

But I am not expecting a fix there because I saw what I did wrong.  Just 
concerned for the next fellow who stumbled my way.


I have all the NAT kernel modules loaded (include nf_chain_nat/nf_nat).

Running nftables v1.1.4 (tag, a83dab190a4cc6d770aa2b57079c78fd205a2abd), 
dated August 6, 2025.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Implicit add conflicts with declarative add
  2025-08-20 18:39 ` Implicit add conflicts with declarative add S Egbert
@ 2025-08-21 17:41   ` Gordon Fisher
  0 siblings, 0 replies; 2+ messages in thread
From: Gordon Fisher @ 2025-08-21 17:41 UTC (permalink / raw)
  To: netfilter

On 8/20/25 11:39, S Egbert wrote:
> Take the following NFT snippet:
>
>     add table ip table_id             # imperative
>     add chain ip table_id chain_id    # imperative???
>
>     table ip table_id {
>         chain chain_id {              # declarative
>             type nat hook input priority 0; policy drop;
>             ip daddr 192.168.1.100 dnat to 192.168.1.200;
>         };
>     };
>
> Fails with:
>
>
>     add-chain.tp.nft:6:9-38: Error: Chain of type "nat" is not 
> supported, perhaps kernel support is missing?
>             type nat hook input priority 0; policy drop;
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
I believe the issue is that ``type nat`` is a table type than a chain 
type, so it appears that you have that part of the declaration in the 
wrong place (the policy portion is indeed for a chain.)

-- 
GF


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-21 17:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1130f6aa-3c98-4960-879b-27f6ab054313.ref@sbcglobal.net>
2025-08-20 18:39 ` Implicit add conflicts with declarative add S Egbert
2025-08-21 17:41   ` Gordon Fisher

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).