Hi,
I tried registering for bugzilla.netfilter.org but the confirmation email
didn't come through, so I'm posting this bug report to this list.
I use nft 0.9.0 and iptables-nft 1.8.2 on Debian 10 and noticed nft complaining
about "XT target TCPMSS not found" in a specific configuration. After some
digging, I found it actually really simple to reproduce:
Step 1 - add the following rules:
`iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu'
`ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu'
Step 2 - run the nft command:
`nft list tables'
Result:
XT target TCPMSS not found
table ip6 filter
table ip filter
It's not important what you list, you can e.g. also run `nft list ruleset'
which will throw the same error message.
It is important, however, to add both of the above rules for ip and ip6. The
order is not important. But if you only one of the two rules, nft will not
complain and show the ruleset correctly.
Please note that the iptables and ip6tables commands return exit code 0 for
both rules. Running `ip{6,}tables -S' will also show both rules just fine. It
is only nft that complains when both rules are present at the same time. And
just to be clear: lsmod also shows both xt_TCPMSS and xt_tcpmss being loaded
and available.
Regards,
Timo
