> Unfortunately that did not the trick and maybe it is not even the cause
> since flushing the ruleset (below) the container gets an ip and it
> shouldn't if it was a matter of checksum?
>
> Maybe I am making a logical mistake and have to run tcpdum or nft-trace
> to discover where the traffic get blocked.
>
Oh what a bummer, shame on me! There has been a clerical mistake which
was revealed when running a nft-trace and no traffic showed.
Having said that and error corrected the lxc-container is still not
getting an ip, tracing
tcp dport 53 meta nftrace set 1 accept
udp dport 53 meta nftrace set 1 accept
tcp dport 67 meta nftrace set 1 accept
udp dport 67 meta nftrace set 1 accept
meta oifname br* udp dport 68 udp checksum set 0 meta nftrace set 1
the output seems ok
trace id b1276b54 bridge filter input packet: iif "vethPKTL0Q" ether
saddr 00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0
ip daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0
ip length 328 udp sport 68 udp dport 67 udp length 308
trace id b1276b54 bridge filter input rule udp dport 67 nftrace set 1
accept (verdict accept)
trace id ebcfac60 ip raw prerouting verdict continue
trace id ebcfac60 ip raw prerouting
trace id ebcfac60 ip nat prerouting verdict continue
trace id ebcfac60 ip nat prerouting
trace id ebcfac60 inet filter input packet: iif "br3" ether saddr
00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0 ip
daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0 ip
length 328 udp sport 68 udp dport 67 udp length 308
trace id ebcfac60 inet filter input rule ct state new meter global-meter
{ ip saddr limit rate 100/second burst 25 packets} continue (verdict
continue)
trace id ebcfac60 inet filter input verdict continue
trace id ebcfac60 inet filter input
trace id e194205f bridge filter input packet: iif "vethPKTL0Q" ether
saddr 00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0
ip daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0
ip length 328 udp sport 68 udp dport 67 udp length 308
trace id e194205f bridge filter input rule udp dport 67 nftrace set 1
accept (verdict accept)
trace id 3a1324e3 ip raw prerouting verdict continue
trace id 3a1324e3 ip raw prerouting
trace id 3a1324e3 ip nat prerouting verdict continue
trace id 3a1324e3 ip nat prerouting
trace id 3a1324e3 inet filter input packet: iif "br3" ether saddr
00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0 ip
daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0 ip
length 328 udp sport 68 udp dport 67 udp length 308
trace id 3a1324e3 inet filter input rule ct state new meter global-meter
{ ip saddr limit rate 100/second burst 25 packets} continue (verdict
continue)
trace id 3a1324e3 inet filter input verdict continue
trace id 3a1324e3 inet filter input
trace id aa2e80a5 bridge filter input packet: iif "vethPKTL0Q" ether
saddr 00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0
ip daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0
ip length 328 udp sport 68 udp dport 67 udp length 308
trace id aa2e80a5 bridge filter input rule udp dport 67 nftrace set 1
accept (verdict accept)
trace id 25afd05d ip raw prerouting verdict continue
trace id 25afd05d ip raw prerouting
trace id 25afd05d ip nat prerouting verdict continue
trace id 25afd05d ip nat prerouting
trace id 25afd05d inet filter input packet: iif "br3" ether saddr
00:16:3e:19:15:82 ether daddr ff:ff:ff:ff:ff:ff ip saddr 0.0.0.0 ip
daddr 255.255.255.255 ip dscp 0x04 ip ecn not-ect ip ttl 128 ip id 0 ip
length 328 udp sport 68 udp dport 67 udp length 308
trace id 25afd05d inet filter input rule ct state new meter global-meter
{ ip saddr limit rate 100/second burst 25 packets} continue (verdict
continue)
trace id 25afd05d inet filter input verdict continue
trace id 25afd05d inet filter input
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
