Hi,
I have done a small test with nftables 0.4 (from debian sid) + kernel 3.19,
modprobe nf_tables
modprobe nf_tables_ipv4
modprobe nft_meta_bridge
nft list ruleset
nft flush table inet filter
nft add table inet filter
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter tap115i0-OUT
nft add chain inet filter tap115i1-OUT
nft add chain inet filter tap115i0-IN
nft add chain inet filter tap115i1-IN
nft add rule inet filter forward meta obriport vmap { tap115i0: jump
tap115i0-OUT, tap115i1: jump tap115i1-OUT }
nft add rule inet filter forward meta ibriport vmap { tap115i0: jump
tap115i0-IN, tap115i1: jump tap115i1-IN }
nft add rule inet filter tap115i0-OUT log prefix \"tap115i0-OUT: \" accept
nft add rule inet filter tap115i0-IN log prefix \"tap115i0-IN: \" accept
nft add rule inet filter tap115i1-OUT log prefix \"tap115i1-OUT: \" accept
nft add rule inet filter tap115i1-IN log prefix \"tap115i1-IN: \" accept
nft add rule inet filter forward log prefix \"forward: \" accept
still failing on meta obriport|ibriport , which is same than physdevout|in.
it's working in table "bridge" (ebtables like), but not in table "inet"
(iptables like)
I have found a recent kernel patch related
"netfilter: bridge: add helpers for fetching physin/outdev"
http://patchwork.ozlabs.org/patch/457401/
I'll try again in some months
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
