nftables icon indicating copy to clipboard operation
nftables copied to clipboard
verified publisher icon google

Adding jump to vmap error "operation not supported"

Open rampxxxx opened this issue 3 years ago • 2 comments

Hi,

I'm trying to use map to jump to different chains based in daddr but I got error "netlink receive: operation not supported" , this is my sample code https://go.dev/play/p/OKn2-_Dd81S In nftables_test.go ln:5016 there is a map similar from which I copied how to create the element with no luck.

Also I'm trying to use a rule to do the match and after add IsDestRegSet as in #176 it seems the rule is created ok.

I'm working with versions v0.9.3 and v1.0.5

Thanks in advance!

rampxxxx avatar Sep 13 '22 10:09 rampxxxx

Hi @rampxxxx,

unfortunately transforming the code into regular nft cmds shows that this won't work:

# nft flush ruleset
# nft add table test_table
# nft add chain test_table test_chain { type filter hook prerouting priority filter \; }
# nft add chain test_table test_chain_jump { type filter hook prerouting priority filter \; }
# nft add map test_table test_map { type ipv4_addr: verdict\; }
# nft add element test_table test_map { 1.1.1.1 : jump test_chain_jump }
Error: Could not process rule: Operation not supported
add element test_table test_map { 1.1.1.1 : jump test_chain_jump }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The thing is that the jump action can be used only on regular chains (see last sentence in https://wiki.nftables.org/wiki-nftables/index.php/Jumping_to_chain). For the definition of regular chains see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Adding_regular_chains, it is basically a chain that does not have the hook keyword.

# cat nf.sh
#!/bin/bash
nft flush ruleset
nft add table test_table
nft add chain test_table test_chain { type nat hook prerouting priority filter \; }
nft add chain test_table test_chain_jump { }
nft add map test_table test_map { type ipv4_addr: verdict\; }
nft add element test_table test_map { 1.1.1.1 : jump test_chain_jump }
# bash nf.sh
# nft list ruleset
table ip test_table {
	map test_map {
		type ipv4_addr : verdict
		elements = { 1.1.1.1 : jump test_chain_jump }
	}

	chain test_chain {
		type nat hook prerouting priority filter; policy accept;
	}

	chain test_chain_jump {
	}
}

I hope that this resolves your issue.

turekt avatar Sep 16 '22 20:09 turekt

Hi @turekt thank you for the response! (sorry for my late response)

rampxxxx avatar Sep 26 '22 12:09 rampxxxx