cord Guru
Joined: 28 Apr 2007 Posts: 344
|
Posted: Sun Jul 01, 2018 2:54 pm Post subject: Problem with IPv4 forwarding after kernel upgrade |
|
|
Hello.
I have Gentoo host system with qemu, libvirt, virt-manager and several guest OSes on it. Also there's two virtual networks between host and guests. It's because I need that some guests can enter the internet and some can't, but all must have access to the host ftp.
Host system has nftables that allows all (IPv4), but denies forwarding from 192.168.10.0/24 subnet (no internet). Other guests are connected to 192.168.20.0/24 and have internet access.
Here's nftables rules script:
Code: |
#!/sbin/nft -f
# Delete all previous tables/rules
flush ruleset
# Table for IPv4 (type - ip, name - v4)
table ip v4 {
chain prerouting {
type nat hook prerouting priority 0;
}
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
ip saddr 192.168.10.0/24 drop comment "Drop unwanted transit NAT"
}
chain output {
type filter hook output priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100;
}
}
# Table for IPv6 (type - ip6 , name - v6)
# Drop all IPv6 traffic
table ip6 v6 {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
}
}
|
It was working fine till kernel upgrade (to 4.14.52). If nftables are started (openrc init) - all subnets don't have internet access (no difference 192.168.10.0/24 or 192.168.20.0/24), and If not started - all have.
Also, upgrade has changed ip forward setting at sysctl.conf to 0 (I have already back it to 1).
What can be the problem? |
|