Hello, we have recently transitioned from iptables to nftables. Our network architecture isn't simple but it can be simplified for the sake of this message. We also use a lot of LXC (cgroups) and we suspect that it might play a role in this case. This instance of nftables is in LXC container (51.254.25.16, 10.1.0.1). This container uses following interfaces: eth0 - for WAN communication. IP: 51.254.25.16 br0 - LAN, connected to higher level bridge. Whole internal network works in 10.0.0.0/8 subnet, this bridge handles 10.1.0.0/16. multiple veth - for joining containers inside this one to br0. and few more but those are probably not important. Rough sketch of the network: http://assets.magik6k.net/screenshoots/1446293074.png nftables configuration at the bottom of the message. Behaviour that causes the issue is simple `table ip nat` with (pos|pre)routing hooks does not receive any traffic. http://assets.magik6k.net/screenshoots/1446289768.png Packets go through forward chain (counter increases) in the `inet filter` table but are not to be seen in routing chains. Using tcpdump we are able to see packets going in to the bridge interface and going out through the eth0 but without SNAT applied. Packets did not even enter NAT chains which does not change after flushing conntracker. This issue appeared randomly after installation, configuration of nftables of first restart of whole physical machine and was resolved either by us (there was mismatch with MAC address which could have caused confusion of filtering) or randomly by itself. It reappeared now (about 24h after first one) in different container (different bridge and interfaces but setup very similar to the first one). Our networking was working without any problems for about 3 months with iptables before issues started happening with nftables. The nat module of iptables was removed blacklisted and disabled in modprobe.d so it is not causing any interference with nftables. We think that there might be some problem with cgroups compatibility of nftables but we have no way to be sure. If you have any ideas or thoughts how to debug this problem we will be happy to check them as we are out of our owns. Best regards, Jakub (Kubuxu) Sztandera ============================================ nftables configuration: table inet filter { chain input { type filter hook input priority 0; accept } chain forward { type filter hook forward priority 0; counter accept } chain output { type filter hook output priority 0; accept } } table ip nat { chain prerouting { type nat hook prerouting priority 0; counter; iif eth0 tcp dport 53 dnat 51.254.25.23 iif eth0 udp dport 53 counter dnat 51.254.25.23 iif eth0 tcp dport 13000 dnat 10.1.0.3 } chain postrouting { type nat hook postrouting priority 0; counter oif eth0 counter snat 51.254.25.16 } } -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
