nft rules processed in wrong network namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

It seems that nft rules are processed in the wrong network namespace.

Sample setup:

default netns:

# nft list table filter
<cmdline>:1:1-17: Error: Could not receive table from kernel: No such file or directory
list table filter
^^^^^^^^^^^^^^^^^

# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 127.0.0.1:13666         0.0.0.0:*               LISTEN      
[...]

netns "upstream":

# ip netns exec upstream nft list table filter
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}

	chain output {
		type filter hook output priority 0; policy accept;
		nftrace set 1 
		counter packets 6826 bytes 329487801 drop 
	}
}

# ip netns exec upstream netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN  

# dmesg | tail

[ 3021.706763] TRACE: filter:output:rule:1 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45563 DF PROTO=TCP SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH URGP=0 OPT (0101080A00298046001A1EEE) UID=0 GID=0 
[ 3021.728817] TRACE: filter:output:rule:2 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45563 DF PROTO=TCP SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH URGP=0 OPT (0101080A00298046001A1EEE) UID=0 GID=0 
[ 3022.001321] TRACE: filter:output:rule:1 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45564 DF PROTO=TCP SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029816D001A1EEE) UID=0 GID=0 
[ 3022.023382] TRACE: filter:output:rule:2 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45564 DF PROTO=TCP SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029816D001A1EEE) UID=0 GID=0 

tcpdump on interface lo in the default namespace shows the traffic, in the
upstream namespace no traffic is seen (as should be).

It seems as if the nft rules in the upstream do receive the traffic from the
default namespace.

Andreas
-- 
-- 
Andreas Schultz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux