Hi, I've now tested the same setup on Ubuntu 15.04 (Linux 3.19, nftables 0.4) and the same problem occurs. Should I open this as a bug at https://bugzilla.netfilter.org/ ??? Andreas ----- On 9 Jun, 2015, at 13:55, aschultz aschultz@xxxxxxxx wrote: > Hi, > > It seems that nft rules are processed in the wrong network namespace. > > Sample setup: > > default netns: > > # nft list table filter > <cmdline>:1:1-17: Error: Could not receive table from kernel: No such file or > directory > list table filter > ^^^^^^^^^^^^^^^^^ > > # netstat -atn > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 127.0.0.1:13666 0.0.0.0:* LISTEN > [...] > > netns "upstream": > > # ip netns exec upstream nft list table filter > table ip filter { > chain input { > type filter hook input priority 0; policy accept; > } > > chain forward { > type filter hook forward priority 0; policy accept; > } > > chain output { > type filter hook output priority 0; policy accept; > nftrace set 1 > counter packets 6826 bytes 329487801 drop > } > } > > # ip netns exec upstream netstat -atn > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN > > # dmesg | tail > > [ 3021.706763] TRACE: filter:output:rule:1 IN= OUT=lo SRC=127.0.0.1 > DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45563 DF PROTO=TCP > SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH > URGP=0 OPT (0101080A00298046001A1EEE) UID=0 GID=0 > [ 3021.728817] TRACE: filter:output:rule:2 IN= OUT=lo SRC=127.0.0.1 > DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45563 DF PROTO=TCP > SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH > URGP=0 OPT (0101080A00298046001A1EEE) UID=0 GID=0 > [ 3022.001321] TRACE: filter:output:rule:1 IN= OUT=lo SRC=127.0.0.1 > DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45564 DF PROTO=TCP > SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH > URGP=0 OPT (0101080A0029816D001A1EEE) UID=0 GID=0 > [ 3022.023382] TRACE: filter:output:rule:2 IN= OUT=lo SRC=127.0.0.1 > DST=127.0.0.1 LEN=65535 TOS=0x00 PREC=0x00 TTL=64 ID=45564 DF PROTO=TCP > SPT=48233 DPT=13666 SEQ=715960373 ACK=191464471 WINDOW=1930 RES=0x00 ACK PSH > URGP=0 OPT (0101080A0029816D001A1EEE) UID=0 GID=0 > > tcpdump on interface lo in the default namespace shows the traffic, in the > upstream namespace no traffic is seen (as should be). > > It seems as if the nft rules in the upstream do receive the traffic from the > default namespace. > > Andreas > -- > -- > Andreas Schultz > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- -- Dipl. Inform. Andreas Schultz email: as@xxxxxxxxxxxxxx phone: +49-391-819099-224 mobil: +49-170-2226073 ------------------- enabling your networks ------------------- Travelping GmbH phone: +49-391-819099229 Roentgenstr. 13 fax: +49-391-819099299 D-39108 Magdeburg email: info@xxxxxxxxxxxxxx GERMANY web: http://www.travelping.com Company Registration: Amtsgericht Stendal Reg No.: HRB 10578 Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780 -------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
