[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 27 13:41:56 CEST 2015 

Also , it seem that connection tracking is not implemented in bridge table

http://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering

----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 13:33:59
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

>>I think Xbriport only ever works on bridge filters, (on current kernels, 
>>too). Is there any reason to put it in the ip tables? You can still 
>>match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters. 

I don't known why, but I don't see any traffic in forward from bridge table. (input|output for bridge ip itself is working fine). 
forward in ip|inet table is working fine. 

any idea ? 



>>You can still 
>>match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters. 

oh ok, didn't known that. (still a bit confuse between bridge vs ip/inet tables) 




----- Mail original ----- 
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
À: "aderumier" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 27 Juillet 2015 13:06:49 
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out 

I think Xbriport only ever works on bridge filters, (on current kernels, 
too). Is there any reason to put it in the ip tables? You can still 
match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters. 

Btw. I find the table syntax much more readable than command lists. 
table bridge filter { 
chain forward { 
type filter hook forward priority 0; 
meta obriport vmap { tap115i0: jump tap115i0-OUT, ... 
} 
} 

(That way it should be atomic and it also ensures the shell doens't 
mess with {} braces, hrhr ;-) ) 

On Mon, Jul 27, 2015 at 12:29:33PM +0200, Alexandre DERUMIER wrote: 
> Hi, 
> I have done a small test with nftables 0.4 (from debian sid) + kernel 3.19, 
> 
> 
> modprobe nf_tables 
> modprobe nf_tables_ipv4 
> modprobe nft_meta_bridge 
> 
> nft list ruleset 
> nft flush table inet filter 
> nft add table inet filter 
> nft add chain inet filter forward { type filter hook forward priority 0 \; } 
> nft add chain inet filter tap115i0-OUT 
> nft add chain inet filter tap115i1-OUT 
> nft add chain inet filter tap115i0-IN 
> nft add chain inet filter tap115i1-IN 
> nft add rule inet filter forward meta obriport vmap { tap115i0: jump tap115i0-OUT, tap115i1: jump tap115i1-OUT } 
> nft add rule inet filter forward meta ibriport vmap { tap115i0: jump tap115i0-IN, tap115i1: jump tap115i1-IN } 
> 
> nft add rule inet filter tap115i0-OUT log prefix \"tap115i0-OUT: \" accept 
> nft add rule inet filter tap115i0-IN log prefix \"tap115i0-IN: \" accept 
> nft add rule inet filter tap115i1-OUT log prefix \"tap115i1-OUT: \" accept 
> nft add rule inet filter tap115i1-IN log prefix \"tap115i1-IN: \" accept 
> nft add rule inet filter forward log prefix \"forward: \" accept 
> 
> 
> 
> still failing on meta obriport|ibriport , which is same than physdevout|in. 
> it's working in table "bridge" (ebtables like), but not in table "inet" (iptables like) 
> 
> 
> I have found a recent kernel patch related 
> "netfilter: bridge: add helpers for fetching physin/outdev" 
> http://patchwork.ozlabs.org/patch/457401/ 
> 
> 
> I'll try again in some months 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list