On Wed, Sep 30, 2020 at 01:59:22PM +0200, Florian Westphal wrote: > Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx> wrote: > > Hi Phil, > > > > (CC'ing netfilter-devel) > > > > I discovered my openstack neutron linuxbridge-agent malfunctioning when using > > iptables-nft and it seems this ruleset is causing the issue: > > > === 8< === > > *raw > > :OUTPUT - [0:0] > > :PREROUTING - [0:0] If I replace these two by: :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] it works. Looks like some issue with the basechain policy? > > :neutron-linuxbri-OUTPUT - [0:0] > > :neutron-linuxbri-PREROUTING - [0:0] > > -I OUTPUT 1 -j neutron-linuxbri-OUTPUT > > -I PREROUTING 1 -j neutron-linuxbri-PREROUTING > > -I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -m > > comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 > > -I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -m comment --comment "Set > > zone for f101a28-1d" -j CT --zone 4097 > > -I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -m > > comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 > > > > COMMIT
