Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part:
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then exit 0 elif [ x"$c" = x ]; then echo "ERROR: No counters" ret=1 exit 111 else exit 1
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.
Any idea why this is happening and how I can debug this in iptables?
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.
This test (./tools/ testing/ selftests/ net/xfrm_ policy. sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part:
check_ipt_ policy_ count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
exit 0
elif [ x"$c" = x ]; then
echo "ERROR: No counters"
ret= 1
exit 111
else
exit 1
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.
Any idea why this is happening and how I can debug this in iptables?
Thanks in advance.