nftables: arp forward

nftables: arp forward

[Maxime de Roucy]

[-- Attachment #1: Type: text/plain, Size: 1875 bytes --]

Hello,

I tried to use nftables arp table on forward hook but it doesn't work.
The wiki says arp hooks are input and output but nft doesn't fail when
I add it.
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains

Add the table on host1 :
```
table arp arptest {
        chain input {
                type filter hook input priority 0; policy accept;
                counter log prefix "INPUT FILTER ARP: "
        }
        chain forward {
                type filter hook forward priority 0; policy accept;
                counter log prefix "FORWARD FILTER ARP: "
        }
        chain output {
                type filter hook output priority 0; policy accept;
                counter log prefix "OUTPUT FILTER ARP: "
        }
}
```

The topologie of my network (1 host, 2 vms):

      host1
      virbr0 192.168.122.1 (bridge containing vnet1 and vnet2)
 vnet1              vnet2
    ↕                 ↕
   ens3              ens3
192.168.122.2   192.168.122.3
   vm1               vm2

problem:
```
vm1$ arping -I ens3 192.168.122.3
```

On host1 I see input counter increasing, "INPUT FILTER ARP" logs in
journalctl ; but nothing else.
Output counter doesn't move (no "OUTPUT …" logs), which is normal.
But forward counter doesn't move either (no "FORWARD …" logs) which
isn't normal !

Did I do something wrong ? Did I misunderstand something ?

If arp can't be use on forward hook, why nft doesn't raise an error
when I added the chain ?

```
max@mde-test % nft -v   
nftables v0.7 (Scrooge McDuck)
max@mde-test % uname -a
Linux mde-test 4.10.13-1-ARCH #1 SMP PREEMPT Thu Apr 27 12:15:09 CEST 2017 x86_64 GNU/Linux
```
-- 
Thank you in advance
Maxime de Roucy

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]