Jump to content
Sign in to follow this  
shimikano

Tinker Board Debian v3.0.11: Enable nft/nftables NAT Kernel Configs

Recommended Posts

With Tinker_Board-Debian-Buster-v3.0.11-20211026, the kernel config parameters CONFIG_NFT_CHAIN_NAT_IPV4 and CONFIG_NFT_MASQ_IPV4 (and the corresponding ipv6 versions) are not set:

$ zgrep CONFIG_NFT /proc/config.gz
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=y
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set
CONFIG_NFT_REJECT_IPV4=m
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
# CONFIG_NFT_MASQ_IPV4 is not set
# CONFIG_NFT_REDIR_IPV4 is not set
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_CHAIN_NAT_IPV6 is not set
# CONFIG_NFT_MASQ_IPV6 is not set
# CONFIG_NFT_REDIR_IPV6 is not set

It seems that hey're required for 'nat' chains and masquerading rules in 'ip' tables in nftables, which is the new default in Debian Buster. In particular, this makes NAT masquerading impossible.

We can use iptables-legacy as a workaround, but may I request these kernel config parameters be enabled? Thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...