Also , it seem that connection tracking is not implemented in bridge table
http://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
----- Mail original -----
De: "aderumier" <aderum...@odiso.com>
À: "Wolfgang Bumiller" <w.bumil...@proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 13:33:59
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with
physdevin|out
>>I think Xbriport only ever works on bridge filters, (on current kernels,
>>too). Is there any reason to put it in the ip tables? You can still
>>match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters.
I don't known why, but I don't see any traffic in forward from bridge table.
(input|output for bridge ip itself is working fine).
forward in ip|inet table is working fine.
any idea ?
>>You can still
>>match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters.
oh ok, didn't known that. (still a bit confuse between bridge vs ip/inet
tables)
----- Mail original -----
De: "Wolfgang Bumiller" <w.bumil...@proxmox.com>
À: "aderumier" <aderum...@odiso.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 13:06:49
Objet: Re: [pve-devel] nftables 0.4 and kernel 3.19, still problem with
physdevin|out
I think Xbriport only ever works on bridge filters, (on current kernels,
too). Is there any reason to put it in the ip tables? You can still
match on `ip saddr`, `ip6 saddr`, `ip6 nexthdr` etc. in bridge filters.
Btw. I find the table syntax much more readable than command lists.
table bridge filter {
chain forward {
type filter hook forward priority 0;
meta obriport vmap { tap115i0: jump tap115i0-OUT, ...
}
}
(That way it should be atomic and it also ensures the shell doens't
mess with {} braces, hrhr ;-) )
On Mon, Jul 27, 2015 at 12:29:33PM +0200, Alexandre DERUMIER wrote:
> Hi,
> I have done a small test with nftables 0.4 (from debian sid) + kernel 3.19,
>
>
> modprobe nf_tables
> modprobe nf_tables_ipv4
> modprobe nft_meta_bridge
>
> nft list ruleset
> nft flush table inet filter
> nft add table inet filter
> nft add chain inet filter forward { type filter hook forward priority 0 \; }
> nft add chain inet filter tap115i0-OUT
> nft add chain inet filter tap115i1-OUT
> nft add chain inet filter tap115i0-IN
> nft add chain inet filter tap115i1-IN
> nft add rule inet filter forward meta obriport vmap { tap115i0: jump
> tap115i0-OUT, tap115i1: jump tap115i1-OUT }
> nft add rule inet filter forward meta ibriport vmap { tap115i0: jump
> tap115i0-IN, tap115i1: jump tap115i1-IN }
>
> nft add rule inet filter tap115i0-OUT log prefix \"tap115i0-OUT: \" accept
> nft add rule inet filter tap115i0-IN log prefix \"tap115i0-IN: \" accept
> nft add rule inet filter tap115i1-OUT log prefix \"tap115i1-OUT: \" accept
> nft add rule inet filter tap115i1-IN log prefix \"tap115i1-IN: \" accept
> nft add rule inet filter forward log prefix \"forward: \" accept
>
>
>
> still failing on meta obriport|ibriport , which is same than physdevout|in.
> it's working in table "bridge" (ebtables like), but not in table "inet"
> (iptables like)
>
>
> I have found a recent kernel patch related
> "netfilter: bridge: add helpers for fetching physin/outdev"
> http://patchwork.ozlabs.org/patch/457401/
>
>
> I'll try again in some months
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
