> Yuck. What dhcpd is that?
> CHECKSUM is a kludge workaround for old dhcpd that do not support csum.
It is probably there just for backwards compatibility of older systems.
If I am not mistaken the lxc-guest container got an ip from the host
dhcp when managed with ipt but sans the CHECKUM rule.
The system is rather modern though and certainly supporting checksum
host ubuntu 4.15.0-23
dnsmasq 2.79
lxc 3.0
lxc-container ubuntu 4.15.0-23
network manager both - ifupdown2
> You can try to do
>
> meta oifname br* udp dport 68 udp checksum set 0
>
> and see if that makes dhcpd work.
Unfortunately that did not the trick and maybe it is not even the cause
since flushing the ruleset (below) the container gets an ip and it
shouldn't if it was a matter of checksum?
Maybe I am making a logical mistake and have to run tcpdum or nft-trace
to discover where the traffic get blocked.
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif "ens3" masquerade # handle 3
}
}
table ip raw {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
}
chain postrouting {
type filter hook postrouting priority 100; policy accept;
oifname "br*" udp dport bootpc udp checksum set 0 # handle 3
}
}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept # handle 4
ct state invalid nftrace set 1 drop # handle 5
iif "lo" accept # handle 6
ct state new meter global-meter { ip saddr limit rate
100/second burst 25 packets} continue # handle 8
tcp dport 56009 ct state new meter ssh-meter { ip saddr
limit rate 10/minute} accept # handle 9
udp dport 61023 ct state new meter ovpn-meter { ip saddr
limit rate 10/hour burst 7 packets} continue # handle 10
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
oif "lo" accept # handle 7
}
}
table netdev filter {
chain nic {
type filter hook ingress device ens3 priority 0; policy
accept;
tcp dport 56009 accept # handle 2
udp dport 61023 accept # handle 3
}
}
table bridge filter {
set tuc {
type inet_proto
elements = { tcp, udp }
}
set dd {
type inet_proto
elements = { 53, 67 }
}
chain input {
type filter hook input priority -200; policy accept;
tcp dport domain accept # handle 4
udp dport domain accept # handle 5
tcp dport bootps accept # handle 6
tcp dport bootps accept # handle 7
}
chain forward {
type filter hook forward priority -200; policy accept;
}
chain output {
type filter hook output priority -200; policy accept;
}
}
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
