After some experiment with nftables compat layer 1.6.0 with iptables
commands generated by libvirt I came across some strange (strange at least
for me) behavior.
If I issue
'iptables-compat -A FORWARD -i virbr1 -o virbr1 -j ACCEPT'
'nft list table ip filter' gives:
chain FORWARD {
type filter hook forward priority 0; policy accept;
counter packets 0 bytes 0 accept
}
netlink: Error: Relational expression size mismatch
netlink: Error: Relational expression size mismatch
If I flush and issue
'nft insert rule filter FORWARD meta iifname virbr1 meta oifname virbr1
accept'
then 'iptables-compat -S' gives:
[0:0] -A FORWARD -i v+ -o virbr1 -p 255 -j ACCEPT
If I flush and issue
'nft insert rule filter FORWARD meta oifname virbr1 meta iifname virbr1
accept'
then 'iptables-compat -S' gives:
[0:0] -A FORWARD -i virbr1 -o +rbr1 -j ACCEPT
Can anybody explain this? Can I use nft and iptables-compat -S and
iptables-compat -A and nft list in this way?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
