[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 27 15:01:30 CEST 2015


Oh, I speak too fast,
seem that for tcp traffic in bridge chain, I can see PROTO and port.

forward: IN=tap150i0 OUT=fwln150i0 MAC=00:08:7c:bd:ae:40:76:ef:e9:ed:9d:41:08:00 SRC=10.3.95.240 DST=192.168.100.76 LEN=108 TOS=0x00 PREC=0x00 TTL=64 ID=42868 DF PROTO=TCP SPT=22 DPT=49876 WINDOW=291 RES=0x00 ACK PSH URGP=0 MARK=0x7b 

So, it's really only missing conntrack here.



----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 14:02:39
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

>>you 
>>have a single tool managing tables containing the chains. Iow. bridge 
>>stuff still goes into the bridge tables, ip stuff into the ip tables, 
>>arp stuff into the arp tables. 

bridge log: (get forward working). 

: IN=fwln150i0 OUT=tap150i0 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=5a:1a:9a:dc:7c:09 IPSRC=10.3.95.78 MACDST=00:00:00:00:00:00 IPDST=10.3.95.44 

so, yes, we have mac and ip, but don't have ip information about tcp/udp and port. 
so it's really more like ebtables. 

we really need to use inet tables for rules. (and need to be able to make rules on physdevin|physdevoutt) 
Jul 27 12:19:14 kvmtest1 kernel: [165625.946715] forward: IN=fwbr150i0 OUT=fwbr150i0 PHYSIN=fwln150i0 PHYSOUT=tap150i0 MAC=01:00:5e:00:00:fc:0e:d3:35:5a:1c:a5:08:00 SRC=10.3.95.20 DST=224.0.0.252 LEN=61 TOS=0x00 PREC=0x00 TTL=1 ID=14541 PROTO=UDP SPT=61150 DPT=5355 LEN=41 





	

Alexandre Derumier 
Ingénieur système et stockage 


Fixe : 03 20 68 90 88 
Fax : 03 20 68 90 81 


45 Bvd du Général Leclerc 59100 Roubaix 
12 rue Marivaux 75002 Paris 


MonSiteEstLent.com - Blog dédié à la webperformance et la gestion de pics de trafic 


De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
À: "aderumier" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 27 Juillet 2015 13:47:22 
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out 

> oh ok, didn't known that. (still a bit confuse between bridge vs ip/inet tables) 

I'm new to nft, too, but as far as I understand it's not actually much 
different from iptables (from the outside anyway). 
It's just that rather than having several tools managing chains, you 
have a single tool managing tables containing the chains. Iow. bridge 
stuff still goes into the bridge tables, ip stuff into the ip tables, 
arp stuff into the arp tables. 

There's also no complete documentation available yet. My current 
favorite is the gentoo wiki. 

> I don't known why, but I don't see any traffic in forward from bridge table. (input|output for bridge ip itself is working fine). 
> forward in ip|inet table is working fine. 
> 
> any idea ? 

Not really. What kernels did you test and how are you viewing the 
traffic? (Are you using the log action?) 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list