SOLVED

The following works !

I guess one of my others rules was blocking

table ip Tip {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
                ip daddr 192.168.y.2 log prefix "forwarded " dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                masquerade
        }
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

Hi, Thank to all of you.

I made a test environment with the following.

• Machine A: 192.168.Y.1
• Machine B: 192.168.Y.2
• Machine C: 192.168.Y.3

The goal is to send a ping A to B, B forward to C

So ping -4c 1 192.168.y.2 from A, should ping B fw C

I’ve set the following rule in /etc/nftables.conf

table ip Tip {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eth0" ip protocol icmp dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 192.168.y.3 masquerade
        }
}

but is not working :'(

I see B receive the package

preroute: IN=eth0 OUT= MAC=▒▒ SRC=192.168.y.1 DST=192.168.y.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21398 DF PROTO=ICMP TYPE=8 CODE=0 ID=17950 SEQ=1

but it seem C receive nothing…

Any ideas ?

As I want the system to be quite ( not sending data ) I was suspected the output hook to be the one. what are you suggesting ?

Obviously, but I’m anyway wondering why it doesn’t blocking like it should
I hope nftables do not let other pass like this…

Thanks @[email protected]

I suppose the file linux/arch/Kconfig is the base the menuconfig to know which option is available ? right ?

Thanks.