[pve-devel] nftables 0.4 and kernel 3.19, still problem with physdevin|out

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jul 27 15:11:18 CEST 2015


On Mon, Jul 27, 2015 at 03:01:30PM +0200, Alexandre DERUMIER wrote:
> Oh, I speak too fast,
> seem that for tcp traffic in bridge chain, I can see PROTO and port.
> 
> forward: IN=tap150i0 OUT=fwln150i0 MAC=00:08:7c:bd:ae:40:76:ef:e9:ed:9d:41:08:00 SRC=10.3.95.240 DST=192.168.100.76 LEN=108 TOS=0x00 PREC=0x00 TTL=64 ID=42868 DF PROTO=TCP SPT=22 DPT=49876 WINDOW=291 RES=0x00 ACK PSH URGP=0 MARK=0x7b 
> 
> So, it's really only missing conntrack here.

Yes I think you can match almost everything in pretty much every table.
Provided they have implemented it ;-) so we'll have to wait for ct to
land in bridge tables before considering switching to nft.
Or does nft provide any other advantage already that would be worth the
effort?




More information about the pve-devel mailing list