On Thu, 2019-08-22 at 16:16 +0200, Florian Westphal wrote: > Serguei Bezverkhi (sbezverk) <sbezverk@xxxxxxxxx> wrote: > > Hello, > > > > I am trying to find an equivalent nft command for the following > > iptables command. Specifically "physdev" and "addrtype", I could > > not find so far, some help would be very appreciated. > > -m physdev ! --physdev-is-in > > This has no equivalent. The rule above matches when 'call-iptables' > sysctl > is enabled and the packet did not enter via a bridge interface. > So, its only false when it did enter via a bridge interface. Also note that the rule in kube-proxy that adds physdev/physdev-is-in has the comment: // This is imperfect in the face of network plugins that might not use a bridge, but we can revisit that later. and it clearly doesn't work when the network plugin doesn't use a bridge interface for containers, which is a lot of them. In fact, that rule should instead be rewritten upstream to use "-s !<ClusterCIDR>" or something rather than rules about a network interface that may/may not exist. IMHO this is really an issue in kube-proxy (code was added in 2015) that hasn't been cleaned up since Kubernetes started supporting more diverse network plugins. Dan > In case the sysctl is off, the rule always matches and can be > omitted. > > nftables currently assumes that call-iptables is off, and that > bridges have their own filter rules in the netdev and/or > bridge families. > > inet/ip/ip6 are assumed to only see packets that are routed by the ip > stack. > > > -m addrtype ! --src-type LOCAL > > fib saddr type != local
