From: Florian Westphal <fw@strlen.de>
To: Arturo Borrero Gonzalez <arturo@netfilter.org>
Cc: Phil Sutter <phil@nwl.cc>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: iptables-nft-restore issue
Date: Wed, 30 Sep 2020 13:59:22 +0200 [thread overview]
Message-ID: <20200930115922.GC20140@breakpoint.cc> (raw)
In-Reply-To: <198c69b7-d7b2-f910-c469-199bfe2fda28@netfilter.org>
Arturo Borrero Gonzalez <arturo@netfilter.org> wrote:
> Hi Phil,
>
> (CC'ing netfilter-devel)
>
> I discovered my openstack neutron linuxbridge-agent malfunctioning when using
> iptables-nft and it seems this ruleset is causing the issue:
> === 8< ===
> *raw
> :OUTPUT - [0:0]
> :PREROUTING - [0:0]
> :neutron-linuxbri-OUTPUT - [0:0]
> :neutron-linuxbri-PREROUTING - [0:0]
> -I OUTPUT 1 -j neutron-linuxbri-OUTPUT
> -I PREROUTING 1 -j neutron-linuxbri-PREROUTING
> -I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -m
> comment --comment "Set zone for f101a28-1d" -j CT --zone 4097
> -I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -m comment --comment "Set
> zone for f101a28-1d" -j CT --zone 4097
> -I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -m
> comment --comment "Set zone for f101a28-1d" -j CT --zone 4097
>
> COMMIT
git bisect start
# good: [bba6bc692b0e6137e13881a1f398c134822e9f83] configure: bump
# versions for 1.8.2 release
git bisect good bba6bc692b0e6137e13881a1f398c134822e9f83
# bad: [72ed608bf1ea550ac13b5b880afc7ad3ffa0afd0] nft: Fix for broken
# address mask match detection
git bisect bad 72ed608bf1ea550ac13b5b880afc7ad3ffa0afd0
# good: [4e9782cae29034c4eefd31703ba77aee7eca2233] nft: Pass nft_handle
# to flush_cache()
git bisect good 4e9782cae29034c4eefd31703ba77aee7eca2233
# good: [f56d91bd80f0e86aaad56a32ddc84f373bb80745] connlabel: Allow
# numeric labels even if connlabel.conf exists
git bisect good f56d91bd80f0e86aaad56a32ddc84f373bb80745
# bad: [869e38fcdecda3de35d999b75fbaacc750fe3aaa] ebtables: Free
# statically loaded extensions again
git bisect bad 869e38fcdecda3de35d999b75fbaacc750fe3aaa
# good: [72470c66326d9b5186dd4614bc2d18269324e54b] nft: cache: Eliminate
# init_chain_cache()
git bisect good 72470c66326d9b5186dd4614bc2d18269324e54b
# bad: [6d1d5aa5c93eca890e28b508ef426b7844caf2b7] nft: cache: Introduce
# struct nft_cache_req
git bisect bad 6d1d5aa5c93eca890e28b508ef426b7844caf2b7
# bad: [9d07514ac5c7a27ec72df5a81bf067073d63bd99] nft: calculate cache
# requirements from list of commands
git bisect bad 9d07514ac5c7a27ec72df5a81bf067073d63bd99
# good: [accaecdf5889911e6a1ca4737c6f6599a77afe24] nft: cache: Fetch
# sets per table
git bisect good accaecdf5889911e6a1ca4737c6f6599a77afe24
# bad: [a7f1e208cdf9c6392c99d3c52764701d004bdde7] nft: split parsing
# from netlink commands
git bisect bad a7f1e208cdf9c6392c99d3c52764701d004bdde7
# good: [70a3c1a07585de64b5780a415dc157079c34911b] ebtables-restore:
# Table line to trigger implicit commit
git bisect good 70a3c1a07585de64b5780a415dc157079c34911b
# first bad commit: [a7f1e208cdf9c6392c99d3c52764701d004bdde7] nft:
# split parsing from netlink commands
Can't look at it further ATM, I double-checked that the commit
preceeding
a7f1e208cdf9c6392c99d3c52764701d004bdde7 works.
next prev parent reply other threads:[~2020-09-30 11:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-30 9:58 iptables-nft-restore issue Arturo Borrero Gonzalez
2020-09-30 11:59 ` Florian Westphal [this message]
2020-09-30 12:13 ` Pablo Neira Ayuso
2020-09-30 12:26 ` Pablo Neira Ayuso
2020-10-02 11:30 ` Arturo Borrero Gonzalez
2020-10-02 11:42 ` Pablo Neira Ayuso
2020-09-30 14:18 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200930115922.GC20140@breakpoint.cc \
--to=fw@strlen.de \
--cc=arturo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).