shimikano 0 Posted February 10, 2023 With Tinker_Board-Debian-Buster-v3.0.11-20211026, the kernel config parameters CONFIG_NFT_CHAIN_NAT_IPV4 and CONFIG_NFT_MASQ_IPV4 (and the corresponding ipv6 versions) are not set: $ zgrep CONFIG_NFT /proc/config.gz CONFIG_NFT_EXTHDR=m CONFIG_NFT_META=m CONFIG_NFT_CT=m CONFIG_NFT_RBTREE=m CONFIG_NFT_HASH=m CONFIG_NFT_COUNTER=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=y CONFIG_NFT_QUEUE=m CONFIG_NFT_REJECT=m CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m # CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set CONFIG_NFT_REJECT_IPV4=m # CONFIG_NFT_DUP_IPV4 is not set # CONFIG_NFT_CHAIN_NAT_IPV4 is not set # CONFIG_NFT_MASQ_IPV4 is not set # CONFIG_NFT_REDIR_IPV4 is not set # CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set CONFIG_NFT_REJECT_IPV6=m # CONFIG_NFT_DUP_IPV6 is not set # CONFIG_NFT_CHAIN_NAT_IPV6 is not set # CONFIG_NFT_MASQ_IPV6 is not set # CONFIG_NFT_REDIR_IPV6 is not set It seems that hey're required for 'nat' chains and masquerading rules in 'ip' tables in nftables, which is the new default in Debian Buster. In particular, this makes NAT masquerading impossible. We can use iptables-legacy as a workaround, but may I request these kernel config parameters be enabled? Thank you. Share this post Link to post Share on other sites