On Fri, Dec 21, 2018 at 04:25:48PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Tue, Dec 18, 2018 at 10:14:51PM +0100, Florian Westphal wrote: > > > Following command: > > > iptables -D FORWARD -m physdev ... > > > causes connectivity loss in some setups. > > > > So, scenario is: User calls this where there is no rule at all with -m > > physdev, right? > > Yes, exactly. > Its part of some 'delete old/previous rules' after startup cleanup > procedure, where iptables -F/X can't be used (as it might contain > rules set up by someone else). Should we fix this from the kernel? ie. like we do with conntracking, track how many rules with physdev are loaded to register the br_netfilter hooks? That will be a bit more work... not sure it is worth. I'm not sure what are the implications of removing this chunk in userspace, ie. side effects of your workaround. Let me know, thanks!
