See upstream bug https://bugzilla.netfilter.org/show_bug.cgi?id=1758
nftables is broken in the way, that they do not have a clear "first match" or "last match" strategy, but do intermix them: accept follows "last match", while drop/reject follow "first match". This is broken by design. You cannot mix both strategies within the same rules. That's why you can't stack rulesets cleanly. Although they admit, that they just didn't know how to solve the problem and deal with it (there is a common and well known solution, i.e. having a "proceed"-action, meaning to make no decision at all and proceed with the next ruleset), they still have implemented it this way. And: They neither tell how this should work, nor are they willing to change it. Broken by final decision. They don't see it as a matter of technical functioning. They do see it as a matter of accepting and respecting their discussions. As a result, I would have to repeat LXD's rules in my own firewall rules. And a filter system, where rules have to be repeated in order for them to have effect, where LXD's own rules do not have any effect at all and just work as if they didn't exist, is terribly broken. The sad reality is that nftables is broken because it was built by people just not compeHowtent for this task. How should ubuntu users deal with this problem? ** Bug watch added: bugzilla.netfilter.org/ #1758 http://bugzilla.netfilter.org/show_bug.cgi?id=1758 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072406 Title: subtile flaw in kernel packet filter nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2072406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
