Hi Phil, (CC'ing netfilter-devel) I discovered my openstack neutron linuxbridge-agent malfunctioning when using iptables-nft and it seems this ruleset is causing the issue: === 8< === *raw :OUTPUT - [0:0] :PREROUTING - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -I OUTPUT 1 -j neutron-linuxbri-OUTPUT -I PREROUTING 1 -j neutron-linuxbri-PREROUTING -I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -m comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 -I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -m comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 -I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -m comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 COMMIT # Completed by iptables_manager === 8< === I'm testing current iptables git HEAD (f75750ff) and this is the diff between iptables-nft and iptables-legacy: === 8< === arturo@endurance:~/git/netfilter/iptables master ± sudo iptables/xtables-legacy-multi iptables-restore --verbose ~/t Flushing chain `PREROUTING' Flushing chain `OUTPUT' Flushing chain `neutron-linuxbri-OUTPUT' Flushing chain `neutron-linuxbri-PREROUTING' Deleting chain `neutron-linuxbri-OUTPUT' Deleting chain `neutron-linuxbri-PREROUTING' # Completed by iptables_manager arturo@endurance:~/git/netfilter/iptables master ± sudo iptables/xtables-nft-multi iptables-restore --verbose ~/t Flushing chain `PREROUTING' Flushing chain `OUTPUT' iptables-restore: line 12 failed === 8< === In case it helps, this is linux kernel 5.8.10 here, but I can reproduce the issue in older kernels (4.19.132 in the case of my neutron server). Let me know if I should open a ticket in netfilter's bugzilla, or this is something you are already working on. regards.
