https://bugzilla.suse.com/show_bug.cgi?id=1234053 https://bugzilla.suse.com/show_bug.cgi?id=1234053#c8 --- Comment #8 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- What I have found so far is: The following command works on Tumbleweed, but not on WSL.

cat rules.json {"nftables":[{"add":{"table":{"family":"inet","name":"netavark"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"INPUT","type":"filter","hook":"input","prio":0,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"FORWARD","type":"filter","hook":"forward","prio":0,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"POSTROUTING","type":"nat","hook":"postrouting","prio":100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"PREROUTING","type":"nat","hook":"prerouting","prio":-100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"OUTPUT","type":"nat","hook":"output","prio":-100,"policy":"accept"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-HOSTPORT-DNAT"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-HOSTPORT-SETMARK"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-1"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-2"}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"NETAVARK-ISOLATION-3"}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"POSTROUTING","expr":[{"match":{"left":{"&":[{"meta":{"key":"mark"}},8192]},"right":8192,"op":"=="}},{"masquerade":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-HOSTPORT-SETMARK","expr":[{"mangle":{"key":{"meta":{"key":"mark"}},"value":{"|":[{"meta":{"key":"mark"}},8192]}}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"PREROUTING","expr":[{"match":{"left":{"fib":{"result":"type","flags":["daddr"]}},"right":"local","op":"=="}},{"jump":{"target":"NETAVARK-HOSTPORT-DNAT"}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"OUTPUT","expr":[{"match":{"left":{"fib":{"result":"type","flags":["daddr"]}},"right":"local","op":"=="}},{"jump":{"target":"NETAVARK-HOSTPORT-DNAT"}}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"ct":{"key":"state"}},"right":"invalid","op":"in"}},{"drop":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"jump":{"target":"NETAVARK-ISOLATION-1"}}]}}},{"insert":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-ISOLATION-3","expr":[{"match":{"left":{"meta":{"key":"oifname"}},"right":"podman0","op":"=="}},{"drop":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"NETAVARK-ISOLATION-3","expr":[{"jump":{"target":"NETAVARK-ISOLATION-2"}}]}}},{"add":{"chain":{"family":"inet","table":"netavark","name":"nv_53ce4390_10_88_0_0_nm16"}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"nv_53ce4390_10_88_0_0_nm16","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"nv_53ce4390_10_88_0_0_nm16","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"224.0.0.0","len":4}},"op":"!="}},{"masquerade":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"INPUT","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"match":{"left":{"meta":{"key":"l4proto"}},"right":{"set":["udp","tcp"]},"op":"=="}},{"match":{"left":{"payload":{"protocol":"th","field":"dport"}},"right":53,"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"daddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"match":{"left":{"ct":{"key":"state"}},"right":["established","related"],"op":"in"}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"FORWARD","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"accept":null}]}}},{"add":{"rule":{"family":"inet","table":"netavark","chain":"POSTROUTING","expr":[{"match":{"left":{"payload":{"protocol":"ip","field":"saddr"}},"right":{"prefix":{"addr":"10.88.0.0","len":16}},"op":"=="}},{"jump":{"target":"nv_53ce4390_10_88_0_0_nm16"}}]}}}]}

nft -j -f rules.json

This rule is created by netavark in nft.rs::setup_network and when netavark tries to apply it, the crate nftables fails in helper.rs::apply_ruleset_raw. The function apply_ruleset_raw is invoking nft executable, which can easily be reproduced outside podman/netavark. Running strace on a working system and on WSL gives different results, on WSL there are many errors "EAGAIN (Resource temporarily unavailable)". It seems there's an issue with netlink communication, but I have not figured it out quite yet. -- You are receiving this mail because: You are on the CC list for the bug.