nftables in network name spaces breaks networking

nftables in network name spaces breaks networking

[Ed Tomlinson]

Hi

Using 3.17.1 and setting up firewalls with nftables breaks networking when nft -f <somefile> is run in an systemd-nspawn instance.  

Please take a look at: https://bugs.freedesktop.org/show_bug.cgi?id=85464 

The network gets setup correctly either by systemd-nspawn or manually via ip netns and all is okay until you try to load a firewall in
the spawned instance with nftables.  At this point the host's bridge interface stop responding.  Load a nftable in the spawned client 
should NOT affect the host's networking.

I like nftables and find them easier to use than iptables (or ipchains which dates me).

Please fix this problem or stop nft from loading tables when not it the root namespace.

I am willing to test fixes.

Thanks,
Ed Tomlinson

Re: nftables in network name spaces breaks networking

[Pablo Neira Ayuso]

On Wed, Oct 29, 2014 at 08:00:26AM -0400, Ed Tomlinson wrote:
> Hi
> 
> Using 3.17.1 and setting up firewalls with nftables breaks networking when nft -f <somefile> is run in an systemd-nspawn instance.  
> 
> Please take a look at: https://bugs.freedesktop.org/show_bug.cgi?id=85464 

I'm unable to reproduce this here, I have tested ip netns with several
generic configurations per family.

Could you please provide the ruleset? If you believe this is a
nftables bug, we need that information to narrow it down.

Thank you.