"nft list hooks" not working (empty output)

Linux Netfilter discussions
 help / color / mirror / Atom feed

* "nft list hooks" not working (empty output)
@ 2026-06-10 22:24 Binarus
  2026-06-10 23:15 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Binarus @ 2026-06-10 22:24 UTC (permalink / raw)
  To: netfilter

Dear all,

according to the man page for nft, "nft list hooks" should list all functions registered at each hook, along with their priorities, and including the internal nftables functions. I am understanding this in the sense that "nft list hooks" should output something at least when there actually is a ruleset.

But on my test system, that output is always empty. Please consider the following excerpt from a terminal session:

root@charon /etc/network # nft list ruleset
table ip t_IP {
         chain input-filter {
                 type filter hook input priority filter; policy accept;
                 ip protocol icmp drop
         }
}
root@charon /etc/network # nft list hooks
root@charon /etc/network #

Of course, that ruleset does not make any sense, but it serves its purpose for testing. "nft list hooks" should output something in that situation, shouldn't it?

This happens on Debian trixie, kernel 6.12.90, nftables 1.1.3.

I also have tried "nft list hooks inet" with the same result.

Furthermore, I have created another ruleset with an ingress filter and have tried "nft list hooks netdev", which also gave no output.

Any advice or explanation? Where is my misunderstanding or mistake?

Thank you very much in advance,

Binarus

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "nft list hooks" not working (empty output)
  2026-06-10 22:24 "nft list hooks" not working (empty output) Binarus
@ 2026-06-10 23:15 ` Pablo Neira Ayuso
  2026-06-11  1:10   ` Kerin Millar
  2026-06-11  5:32   ` Binarus
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2026-06-10 23:15 UTC (permalink / raw)
  To: Binarus; +Cc: netfilter

On Thu, Jun 11, 2026 at 12:24:28AM +0200, Binarus wrote:
> Dear all,
> 
> according to the man page for nft, "nft list hooks" should list all functions registered at each hook, along with their priorities, and including the internal nftables functions. I am understanding this in the sense that "nft list hooks" should output something at least when there actually is a ruleset.
> 
> But on my test system, that output is always empty. Please consider the following excerpt from a terminal session:
> 
> root@charon /etc/network # nft list ruleset
> table ip t_IP {
>         chain input-filter {
>                 type filter hook input priority filter; policy accept;
>                 ip protocol icmp drop
>         }
> }
> root@charon /etc/network # nft list hooks
> root@charon /etc/network #
> 
> Of course, that ruleset does not make any sense, but it serves its purpose for testing. "nft list hooks" should output something in that situation, shouldn't it?
> 
> This happens on Debian trixie, kernel 6.12.90, nftables 1.1.3.
> 
> I also have tried "nft list hooks inet" with the same result.
> 
> Furthermore, I have created another ruleset with an ingress filter and have tried "nft list hooks netdev", which also gave no output.
> 
> Any advice or explanation? Where is my misunderstanding or mistake?

It seems debian kernels do not compile support for this command?

grep CONFIG_NETFILTER_NETLINK_HOOK /boot/config-6.12.74+deb13+1-amd64 
# CONFIG_NETFILTER_NETLINK_HOOK is not set

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "nft list hooks" not working (empty output)
  2026-06-10 23:15 ` Pablo Neira Ayuso
@ 2026-06-11  1:10   ` Kerin Millar
  2026-06-11  5:32   ` Binarus
  1 sibling, 0 replies; 4+ messages in thread
From: Kerin Millar @ 2026-06-11  1:10 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Binarus; +Cc: netfilter

On Thu, 11 Jun 2026, at 12:15 AM, Pablo Neira Ayuso wrote:
> On Thu, Jun 11, 2026 at 12:24:28AM +0200, Binarus wrote:
>> Dear all,
>> 
>> according to the man page for nft, "nft list hooks" should list all functions registered at each hook, along with their priorities, and including the internal nftables functions. I am understanding this in the sense that "nft list hooks" should output something at least when there actually is a ruleset.
>> 
>> But on my test system, that output is always empty. Please consider the following excerpt from a terminal session:
>> 
>> root@charon /etc/network # nft list ruleset
>> table ip t_IP {
>>         chain input-filter {
>>                 type filter hook input priority filter; policy accept;
>>                 ip protocol icmp drop
>>         }
>> }
>> root@charon /etc/network # nft list hooks
>> root@charon /etc/network #
>> 
>> Of course, that ruleset does not make any sense, but it serves its purpose for testing. "nft list hooks" should output something in that situation, shouldn't it?
>> 
>> This happens on Debian trixie, kernel 6.12.90, nftables 1.1.3.
>> 
>> I also have tried "nft list hooks inet" with the same result.
>> 
>> Furthermore, I have created another ruleset with an ingress filter and have tried "nft list hooks netdev", which also gave no output.
>> 
>> Any advice or explanation? Where is my misunderstanding or mistake?
>
> It seems debian kernels do not compile support for this command?
>
> grep CONFIG_NETFILTER_NETLINK_HOOK /boot/config-6.12.74+deb13+1-amd64 
> # CONFIG_NETFILTER_NETLINK_HOOK is not set

For that matter, someone asked about this at Libera about three weeks ago. It's a puzzling omission.

-- 
Kerin Millar

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "nft list hooks" not working (empty output)
  2026-06-10 23:15 ` Pablo Neira Ayuso
  2026-06-11  1:10   ` Kerin Millar
@ 2026-06-11  5:32   ` Binarus
  1 sibling, 0 replies; 4+ messages in thread
From: Binarus @ 2026-06-11  5:32 UTC (permalink / raw)
  To: netfilter

On 11.06.2026 01:15, Pablo Neira Ayuso wrote:
> On Thu, Jun 11, 2026 at 12:24:28AM +0200, Binarus wrote:
>> Dear all,
>>
>> according to the man page for nft, "nft list hooks" should list all functions registered at each hook, along with their priorities, and including the internal nftables functions. I am understanding this in the sense that "nft list hooks" should output something at least when there actually is a ruleset.
>>
>> But on my test system, that output is always empty. Please consider the following excerpt from a terminal session:
>>
>> root@charon /etc/network # nft list ruleset
>> table ip t_IP {
>>          chain input-filter {
>>                  type filter hook input priority filter; policy accept;
>>                  ip protocol icmp drop
>>          }
>> }
>> root@charon /etc/network # nft list hooks
>> root@charon /etc/network #
>>
>> Of course, that ruleset does not make any sense, but it serves its purpose for testing. "nft list hooks" should output something in that situation, shouldn't it?
>>
>> This happens on Debian trixie, kernel 6.12.90, nftables 1.1.3.
>>
>> I also have tried "nft list hooks inet" with the same result.
>>
>> Furthermore, I have created another ruleset with an ingress filter and have tried "nft list hooks netdev", which also gave no output.
>>
>> Any advice or explanation? Where is my misunderstanding or mistake?
> 
> It seems debian kernels do not compile support for this command?
> 
> grep CONFIG_NETFILTER_NETLINK_HOOK /boot/config-6.12.74+deb13+1-amd64
> # CONFIG_NETFILTER_NETLINK_HOOK is not set

I see. Obviously, they now finally have lost it. Honestly, I would never have come to that idea.

Thank you very much for the help!


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-11  5:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-10 22:24 "nft list hooks" not working (empty output) Binarus
2026-06-10 23:15 ` Pablo Neira Ayuso
2026-06-11  1:10   ` Kerin Millar
2026-06-11  5:32   ` Binarus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox