[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jul 27 13:06:49 CEST 2015 

I think Xbriport only ever works on bridge filters, (on current kernels,
too). Is there any reason to put it in the ip tables? You can still
match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters.

Btw. I find the table syntax much more readable than command lists.
table bridge filter {
  chain forward {
    type filter hook forward priority 0;
    meta obriport vmap { tap115i0: jump tap115i0-OUT, ...
  }
}

(That way it should be atomic and it also ensures the shell doens't
mess with {} braces, hrhr ;-) )

On Mon, Jul 27, 2015 at 12:29:33PM +0200, Alexandre DERUMIER wrote:
> Hi, 
> I have done a small test with nftables 0.4 (from debian sid) + kernel 3.19,
> 
> 
> modprobe nf_tables
> modprobe nf_tables_ipv4
> modprobe nft_meta_bridge
> 
> nft list ruleset
> nft flush table inet filter
> nft add table inet filter
> nft add chain inet filter forward { type filter hook forward priority 0 \; }
> nft add chain inet filter tap115i0-OUT
> nft add chain inet filter tap115i1-OUT
> nft add chain inet filter tap115i0-IN
> nft add chain inet filter tap115i1-IN
> nft add rule inet filter forward meta obriport vmap { tap115i0: jump tap115i0-OUT,  tap115i1: jump tap115i1-OUT }
> nft add rule inet filter forward meta ibriport vmap { tap115i0: jump tap115i0-IN,  tap115i1: jump tap115i1-IN }
> 
> nft add rule inet filter tap115i0-OUT log prefix \"tap115i0-OUT: \" accept
> nft add rule inet filter tap115i0-IN log prefix \"tap115i0-IN: \" accept
> nft add rule inet filter tap115i1-OUT log prefix \"tap115i1-OUT: \" accept
> nft add rule inet filter tap115i1-IN log prefix \"tap115i1-IN: \" accept
> nft add rule inet filter forward log prefix \"forward: \" accept
> 
> 
> 
> still failing on meta obriport|ibriport  , which is same than physdevout|in.
> it's working in table "bridge" (ebtables like), but not in table "inet"  (iptables like)
> 
> 
> I have found a recent kernel patch related
> "netfilter: bridge: add helpers for fetching physin/outdev"
> http://patchwork.ozlabs.org/patch/457401/
> 
> 
> I'll try again in some months
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list