Comment # 8 on bug 1234053 from Alexandre Vicenzi
What I have found so far is:

The following command works on Tumbleweed, but not on WSL.

> cat rules.json
> {"nftables":[{"add":{"table":{"family":"inet","name":"netavark"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"INPUT","type":"filter","hook":"input","prio":0,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"FORWARD","type":"filter","hook":"forward","prio":0,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"POSTROUTING","type":"nat","hook":"postrouting","prio":100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"PREROUTING","type":"nat","hook":"prerouting","prio":-100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"OUTPUT","type":"nat","hook":"output","prio":-100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-HOSTPORT-DNAT"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-HOSTPORT-SETMARK"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-1"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-2"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-3"}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"POSTROUTING","expr":[{"match":{"left":{"&":[{"meta":{"key":"mark"}},8192]},"right":8192,"op":"=="}},{"masquerade":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-HOSTPORT-SETMARK","expr":[{"mangle":{"key":{"meta":{"key":"mark"}},"value":{"|":[{"meta":{"key":"mark"}},8192]}}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"PREROUTING","expr":[{"match":{"left":{"fib":{"result":"type","flags":["daddr"]}},"right":"local","op":"=="}},{"jump":{"target":"NETAVARK-HOSTPORT-DNAT"}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"OUTPUT","expr":[{"match":{"left":{"fib":{"result":"type","flags":["daddr"]}},"right":"local","op":"=="}},{"jump":{"target":"NETAVARK-HOSTPORT-DNAT"}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"ct":{"key":"state"}},"right":"invalid","op":"in"}},{"drop":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"jump":{"target":"NETAVARK-ISOLATION-1"}}]}}},{"insert":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-ISOLATION-3","expr":[{"match":{"left":{"meta":{"key":"oifname"}},"right":"podman0","op":"=="}},{"drop":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-ISOLATION-3","expr":[{"jump":{"target":"NETAVARK-ISOLATION-2"}}]}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"nv_53ce4390_10_88_0_0_nm16"}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"nv_53ce4390_10_88_0_0_nm16","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"nv_53ce4390_10_88_0_0_nm16","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"224.0.0.0","len":4}},"op":"!="}},{"masquerade":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"INPUT","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"match":{"left":{"meta":{"key":"l4proto"}},"right":{"set":["udp","tcp"]},"op":"=="}},{"match":{"left":{"payload":{"protocol":"th","field":"dport"}},"right":53,"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"match":{"left":{"ct":{"key":"state"}},"right":["established","related"],"op":"in"}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"POSTROUTING","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"jump":{"target":"nv_53ce4390_10_88_0_0_nm16"}}]}}}]}

> nft -j -f rules.json

This rule is created by netavark in nft.rs::setup_network and when netavark
tries to apply it, the crate nftables fails in helper.rs::apply_ruleset_raw.

The function apply_ruleset_raw is invoking nft executable, which can easily be
reproduced outside podman/netavark.

Running strace on a working system and on WSL gives different results, on WSL
there are many errors "EAGAIN (Resource temporarily unavailable)".

It seems there's an issue with netlink communication, but I have not figured it
out quite yet.


You are receiving this mail because: