[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 27 14:02:39 CEST 2015 

>>you 
>>have a single tool managing tables containing the chains. Iow. bridge 
>>stuff still goes into the bridge tables, ip stuff into the ip tables, 
>>arp stuff into the arp tables. 

bridge log: (get forward working). 

: IN=fwln150i0 OUT=tap150i0 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=5a:1a:9a:dc:7c:09 IPSRC=10.3.95.78 MACDST=00:00:00:00:00:00 IPDST=10.3.95.44 

so, yes, we have mac and ip, but don't have ip information about tcp/udp and port. 
so it's really more like ebtables. 

we really need to use inet tables for rules. (and need to be able to make rules on physdevin|physdevoutt) 
Jul 27 12:19:14 kvmtest1 kernel: [165625.946715] forward: IN=fwbr150i0 OUT=fwbr150i0 PHYSIN=fwln150i0 PHYSOUT=tap150i0 MAC=01:00:5e:00:00:fc:0e:d3:35:5a:1c:a5:08:00 SRC=10.3.95.20 DST=224.0.0.252 LEN=61 TOS=0x00 PREC=0x00 TTL=1 ID=14541 PROTO=UDP SPT=61150 DPT=5355 LEN=41 





	

Alexandre Derumier 
Ingénieur système et stockage 


Fixe : 03 20 68 90 88 
Fax : 03 20 68 90 81 


45 Bvd du Général Leclerc 59100 Roubaix 
12 rue Marivaux 75002 Paris 


MonSiteEstLent.com - Blog dédié à la webperformance et la gestion de pics de trafic 


De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
À: "aderumier" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 27 Juillet 2015 13:47:22 
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out 

> oh ok, didn't known that. (still a bit confuse between bridge vs ip/inet tables) 

I'm new to nft, too, but as far as I understand it's not actually much 
different from iptables (from the outside anyway). 
It's just that rather than having several tools managing chains, you 
have a single tool managing tables containing the chains. Iow. bridge 
stuff still goes into the bridge tables, ip stuff into the ip tables, 
arp stuff into the arp tables. 

There's also no complete documentation available yet. My current 
favorite is the gentoo wiki. 

> I don't known why, but I don't see any traffic in forward from bridge table. (input|output for bridge ip itself is working fine). 
> forward in ip|inet table is working fine. 
> 
> any idea ? 

Not really. What kernels did you test and how are you viewing the 
traffic? (Are you using the log action?) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150727/9376e9c5/attachment.htm>

More information about the pve-devel mailing list