Hello, I tried to use nftables arp table on forward hook but it doesn't work. The wiki says arp hooks are input and output but nft doesn't fail when I add it. https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains Add the table on host1 : ``` table arp arptest { chain input { type filter hook input priority 0; policy accept; counter log prefix "INPUT FILTER ARP: " } chain forward { type filter hook forward priority 0; policy accept; counter log prefix "FORWARD FILTER ARP: " } chain output { type filter hook output priority 0; policy accept; counter log prefix "OUTPUT FILTER ARP: " } } ``` The topologie of my network (1 host, 2 vms): host1 virbr0 192.168.122.1 (bridge containing vnet1 and vnet2) vnet1 vnet2 ↕ ↕ ens3 ens3 192.168.122.2 192.168.122.3 vm1 vm2 problem: ``` vm1$ arping -I ens3 192.168.122.3 ``` On host1 I see input counter increasing, "INPUT FILTER ARP" logs in journalctl ; but nothing else. Output counter doesn't move (no "OUTPUT …" logs), which is normal. But forward counter doesn't move either (no "FORWARD …" logs) which isn't normal ! Did I do something wrong ? Did I misunderstand something ? If arp can't be use on forward hook, why nft doesn't raise an error when I added the chain ? ``` max@mde-test % nft -v nftables v0.7 (Scrooge McDuck) max@mde-test % uname -a Linux mde-test 4.10.13-1-ARCH #1 SMP PREEMPT Thu Apr 27 12:15:09 CEST 2017 x86_64 GNU/Linux ``` -- Thank you in advance Maxime de Roucy
Attachment:
signature.asc
Description: This is a digitally signed message part
