PASS: netns routing/connectivity: ns1 can reach ns2 PASS: flow offloaded for ns1/ns2 PASS: flow offloaded for ns1/ns2 with NAT FAIL: file mismatch for ns1 -> ns2 -rw-------. 1 root root 5358592 Jan 31 17:12 /tmp/tmp.xyi3O1jKxw -rw-------. 1 root root 13984 Jan 31 17:12 /tmp/tmp.IhcGAAc0S8 FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery table inet filter { flowtable f1 { hook ingress priority filter devices = { veth0, veth1 } } chain forward { type filter hook forward priority filter; policy drop; oif "veth1" tcp dport 12345 flow add @f1 counter packets 4 bytes 208 tcp dport 12345 meta length > 200 ct mark set 0x00000001 counter packets 1698 bytes 16160152 tcp flags fin,rst ct mark set 0x00000000 accept tcp sport 12345 ct mark 0x00000001 counter packets 5 bytes 296 log prefix "mark failure " drop ct state established,related accept meta length < 200 oif "veth1" tcp dport 12345 counter packets 4 bytes 240 accept meta l4proto icmp accept meta l4proto ipv6-icmp accept } } table ip nat { chain prerouting { type nat hook prerouting priority filter; policy accept; iif "veth0" ip daddr 10.6.6.6 tcp dport 1666 counter packets 1 bytes 60 dnat to 10.0.2.99:12345 } chain postrouting { type nat hook postrouting priority filter; policy accept; oifname "veth1" counter packets 3 bytes 180 masquerade } } FAIL: file mismatch for ns1 -> ns2 -rw-------. 1 root root 5358592 Jan 31 17:12 /tmp/tmp.xyi3O1jKxw -rw-------. 1 root root 15432 Jan 31 17:12 /tmp/tmp.IhcGAAc0S8 FAIL: flow offload for ns1/ns2 with bridge NAT table inet filter { flowtable f1 { hook ingress priority filter devices = { veth0, veth1 } } chain forward { type filter hook forward priority filter; policy drop; oif "veth1" tcp dport 12345 flow add @f1 counter packets 5 bytes 260 tcp dport 12345 meta length > 200 ct mark set 0x00000001 counter packets 1708 bytes 16184792 tcp flags fin,rst ct mark set 0x00000000 accept tcp sport 12345 ct mark 0x00000001 counter packets 15 bytes 852 log prefix "mark failure " drop ct state established,related accept meta length < 200 oif "veth1" tcp dport 12345 counter packets 5 bytes 300 accept meta l4proto icmp accept meta l4proto ipv6-icmp accept } } table ip nat { chain prerouting { type nat hook prerouting priority filter; policy accept; iif "br0" ip daddr 10.6.6.6 tcp dport 1666 counter packets 0 bytes 0 dnat to 10.0.2.99:12345 } chain postrouting { type nat hook postrouting priority filter; policy accept; oifname "veth1" counter packets 1 bytes 60 masquerade } } FAIL: file mismatch for ns1 -> ns2 -rw-------. 1 root root 5358592 Jan 31 17:12 /tmp/tmp.xyi3O1jKxw -rw-------. 1 root root 15432 Jan 31 17:12 /tmp/tmp.IhcGAAc0S8 FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN table inet filter { flowtable f1 { hook ingress priority filter devices = { veth0, veth1 } } chain forward { type filter hook forward priority filter; policy drop; oif "veth1" tcp dport 12345 flow add @f1 counter packets 6 bytes 312 tcp dport 12345 meta length > 200 ct mark set 0x00000001 counter packets 1716 bytes 16206432 tcp flags fin,rst ct mark set 0x00000000 accept tcp sport 12345 ct mark 0x00000001 counter packets 23 bytes 1304 log prefix "mark failure " drop ct state established,related accept meta length < 200 oif "veth1" tcp dport 12345 counter packets 6 bytes 360 accept meta l4proto icmp accept meta l4proto ipv6-icmp accept } } table ip nat { chain prerouting { type nat hook prerouting priority filter; policy accept; iif "br0" ip daddr 10.6.6.6 tcp dport 1666 counter packets 0 bytes 0 dnat to 10.0.2.99:12345 } chain postrouting { type nat hook postrouting priority filter; policy accept; oifname "veth1" counter packets 2 bytes 120 masquerade } } FAIL: file mismatch for ns1 -> ns2 -rw-------. 1 root root 5358592 Jan 31 17:12 /tmp/tmp.xyi3O1jKxw -rw-------. 1 root root 235616 Jan 31 17:12 /tmp/tmp.IhcGAAc0S8 FAIL: ipsec tunnel mode for ns1/ns2 table inet filter { flowtable f1 { hook ingress priority filter devices = { veth0, veth1 } } chain forward { type filter hook forward priority filter; policy drop; oif "veth1" tcp dport 12345 flow add @f1 counter packets 7 bytes 364 tcp dport 12345 meta length > 200 ct mark set 0x00000001 counter packets 1728 bytes 16243154 tcp flags fin,rst ct mark set 0x00000000 accept tcp sport 12345 ct mark 0x00000001 counter packets 43 bytes 2380 log prefix "mark failure " drop ct state established,related accept meta length < 200 oif "veth1" tcp dport 12345 counter packets 7 bytes 420 accept meta l4proto icmp accept meta l4proto ipv6-icmp accept } } XfrmInError 0 XfrmInBufferError 0 XfrmInHdrError 0 XfrmInNoStates 0 XfrmInStateProtoError 0 XfrmInStateModeError 0 XfrmInStateSeqError 0 XfrmInStateExpired 0 XfrmInStateMismatch 0 XfrmInStateInvalid 0 XfrmInTmplMismatch 0 XfrmInNoPols 0 XfrmInPolBlock 0 XfrmInPolError 0 XfrmOutError 0 XfrmOutBundleGenError 0 XfrmOutBundleCheckError 0 XfrmOutNoStates 0 XfrmOutStateProtoError 0 XfrmOutStateModeError 0 XfrmOutStateSeqError 0 XfrmOutStateExpired 0 XfrmOutPolBlock 0 XfrmOutPolDead 0 XfrmOutPolError 0 XfrmFwdHdrError 0 XfrmOutStateInvalid 0 XfrmAcquireError 0 :: [ PASS ] :: Test '6..16 selftests: netfilter:nft_flowtable.sh [WAIVE]'