On Wed, Sep 30, 2020 at 02:13:14PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 30, 2020 at 01:59:22PM +0200, Florian Westphal wrote: > > Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx> wrote: > > > Hi Phil, > > > > > > (CC'ing netfilter-devel) > > > > > > I discovered my openstack neutron linuxbridge-agent malfunctioning when using > > > iptables-nft and it seems this ruleset is causing the issue: > > > > > === 8< === > > > *raw > > > :OUTPUT - [0:0] > > > :PREROUTING - [0:0] > > If I replace these two by: > > :OUTPUT ACCEPT [0:0] > :PREROUTING ACCEPT [0:0] > > it works. Looks like some issue with the basechain policy? Probably this patch? > > > :neutron-linuxbri-OUTPUT - [0:0] > > > :neutron-linuxbri-PREROUTING - [0:0] > > > -I OUTPUT 1 -j neutron-linuxbri-OUTPUT > > > -I PREROUTING 1 -j neutron-linuxbri-PREROUTING > > > -I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -m > > > comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 > > > -I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -m comment --comment "Set > > > zone for f101a28-1d" -j CT --zone 4097 > > > -I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -m > > > comment --comment "Set zone for f101a28-1d" -j CT --zone 4097 > > > > > > COMMIT
diff --git a/iptables/nft.c b/iptables/nft.c index 27bb98d184c7..f29fe5b47575 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -678,7 +678,9 @@ nft_chain_builtin_alloc(const struct builtin_table *table, nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name); nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook); nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio); - nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy); + if (policy >= 0) + nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy); + nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type); return c; @@ -911,6 +913,8 @@ int nft_chain_set(struct nft_handle *h, const char *table, c = nft_chain_new(h, table, chain, NF_DROP, counters); else if (strcmp(policy, "ACCEPT") == 0) c = nft_chain_new(h, table, chain, NF_ACCEPT, counters); + else if (strcmp(policy, "-") == 0) + c = nft_chain_new(h, table, chain, -1, counters); else errno = EINVAL;
