netfilter buglog - Jun 2017 - [Bug 1155] New: arp forward filter doesn't work

https://bugzilla.netfilter.org/show_bug.cgi?id=1155

            Bug ID: 1155
           Summary: arp forward filter doesn't work
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: maxime.deroucy at gmail.com

Hello,

I tried to use nftables arp table on forward hook but it doesn't work.
The wiki says arp hooks are input and output but nft doesn't fail when
I add it.
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains

Add the table on host1 :
```
table arp arptest {
  chain input {
    type filter hook input priority 0; policy accept;
    counter log prefix "INPUT FILTER ARP: "
  }
  chain forward {
    type filter hook forward priority 0; policy accept;
    counter log prefix "FORWARD FILTER ARP: "
  }
  chain output {
    type filter hook output priority 0; policy accept;
    counter log prefix "OUTPUT FILTER ARP: "
  }
}
```

The topologie of my network (1 host, 2 vms):

      host1
      virbr0 192.168.122.1 (bridge containing vnet1 and vnet2)
 vnet1              vnet2
    ↕                 ↕
   ens3              ens3
192.168.122.2   192.168.122.3
   vm1               vm2

problem:
```
vm1$ arping -I ens3 192.168.122.3
```

On host1 I see input counter increasing, "INPUT FILTER ARP" logs in
journalctl ; but nothing else.
Output counter doesn't move (no "OUTPUT …" logs), which is normal.
But forward counter doesn't move either (no "FORWARD …" logs)
which
isn't normal !

Did I do something wrong ? Did I misunderstand something ?

If arp can't be use on forward hook, why nft doesn't raise an error
when I added the chain ?

```
max at mde-test % nft -v   
nftables v0.7 (Scrooge McDuck)
max at mde-test % uname -a
Linux mde-test 4.10.13-1-ARCH #1 SMP PREEMPT Thu Apr 27 12:15:09 CEST 2017
x86_64 GNU/Linux
```

More informations can be found here:
https://pelican.craoc.fr/nftables.html#arp-vm1-vm2

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170605/3fb65d41/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1155

Maxime de Roucy <maxime.deroucy at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |maxime.deroucy at gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170605/f10a2633/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1155

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
Indeed, I think we should reject the forward chain.

I guess its there because the legacy 'call-arptables' sysctl from bridge
netfilter does allow to push packets through arptables, but I think with
nft you can just use bridge family to filter arp packets that pass through a
bridge.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170605/11155422/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1155

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|pablo at netfilter.org         |fw at strlen.de
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Florian Westphal <fw at strlen.de> ---
The kernel will now reject the non-working forward chain (that should not have
been there in first place).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170808/cbaefe75/attachment.html>