Comment 0 for bug 1949603

Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.

This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part:

check_ipt_policy_count()
{
        ns=$1

        ip netns exec $ns iptables-save -c |grep policy | ( read c rest
                ip netns exec $ns iptables -Z
                if [ x"$c" = x'[0:0]' ]; then
                        exit 0
                elif [ x"$c" = x ]; then
                        echo "ERROR: No counters"
                        ret=1
                        exit 111
                else
                        exit 1
                fi
        )
}

If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.

Any idea why this is happening and how I can debug this in iptables?

Thanks in advance.