nft NAT cannot work along with iptables NAT. "iptable_nat" module is always loaded on the VZ Node (libvirt triggers the load), so warn on "nft_nat" module load.
i've added an additional check - if "ip(6)table_nat" modules are really loaded - may be some time later libvirt won't trigger their load. https://jira.sw.ru/browse/PSBM-102919 https://jira.sw.ru/browse/PSBM-123111 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- net/netfilter/nft_nat.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index 3883504db5c3..d12d540e1b60 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c @@ -279,6 +279,12 @@ static struct nft_expr_type nft_nat_type __read_mostly = { static int __init nft_nat_module_init(void) { + /* nft NAT does not work if ip(6)table_nat module is loaded */ + WARN_ONCE(init_net.ipv4.nat_table || init_net.ipv6.ip6table_nat, + "WARNING: 'nft_nat' kernel module is being loaded " + "while 'ip(6)table_nat' module already loaded. " + "nft NAT will not work.\n"); + return nft_register_expr(&nft_nat_type); } -- 2.24.3 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
