[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out
Alexandre DERUMIER
aderumier at odiso.com
Mon Jul 27 12:29:33 CEST 2015
Hi,
I have done a small test with nftables 0.4 (from debian sid) + kernel 3.19,
modprobe nf_tables
modprobe nf_tables_ipv4
modprobe nft_meta_bridge
nft list ruleset
nft flush table inet filter
nft add table inet filter
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter tap115i0-OUT
nft add chain inet filter tap115i1-OUT
nft add chain inet filter tap115i0-IN
nft add chain inet filter tap115i1-IN
nft add rule inet filter forward meta obriport vmap { tap115i0: jump tap115i0-OUT, tap115i1: jump tap115i1-OUT }
nft add rule inet filter forward meta ibriport vmap { tap115i0: jump tap115i0-IN, tap115i1: jump tap115i1-IN }
nft add rule inet filter tap115i0-OUT log prefix \"tap115i0-OUT: \" accept
nft add rule inet filter tap115i0-IN log prefix \"tap115i0-IN: \" accept
nft add rule inet filter tap115i1-OUT log prefix \"tap115i1-OUT: \" accept
nft add rule inet filter tap115i1-IN log prefix \"tap115i1-IN: \" accept
nft add rule inet filter forward log prefix \"forward: \" accept
still failing on meta obriport|ibriport , which is same than physdevout|in.
it's working in table "bridge" (ebtables like), but not in table "inet" (iptables like)
I have found a recent kernel patch related
"netfilter: bridge: add helpers for fetching physin/outdev"
http://patchwork.ozlabs.org/patch/457401/
I'll try again in some months
More information about the pve-devel
mailing list