I recently upgraded to pbr-iptables 0.9.8-14 and found that it no longer creates the PBR_OUTPUT chain at startup, despite having dependent policies defined.
The simplest repro:
start with a clean install of pbr-iptables (and enable the service)
enable sample policy 3 (WireGuard Server) which uses the OUTPUT chain
restart pbr service and observe the error from iptables
Activating Traffic Killswitch [✓]
Setting up routing for 'wan/pppoe-wan/100.65.0.1' [✓]
Setting up routing for 'wg0/10.1.1.2' [✓]
Routing 'WireGuard Server' via wan [✗]
Deactivating Traffic Killswitch [✓]
pbr 0.9.8-14 monitoring interfaces: wan wg0
pbr 0.9.8-14 (iptables) started with gateways:
wan/pppoe-wan/100.65.0.1
wg0/10.1.1.2 [✓]
ERROR: iptables -t mangle -A PBR_OUTPUT -g PBR_MARK_0x010000 -p udp -m multiport --sport 51820 -m comment --comment WireGuard_Server
I believe this regression was introduced between 0.9.7-1 and 0.9.7-2, where pbr.nft and pbr.iptables merged and load_package_config() stopped calling the append_chains_targets() iterator which was able to expand $usedChainsList as needed.
append_chains_targets() {
[...]
if ! str_contains_word "$usedChainsList" "$chain"; then
usedChainsList="$usedChainsList $chain"
Is this functionality somehow incompatible with nft?
I recently upgraded to pbr-iptables 0.9.8-14 and found that it no longer creates the PBR_OUTPUT chain at startup, despite having dependent policies defined.
The simplest repro:
I believe this regression was introduced between 0.9.7-1 and 0.9.7-2, where pbr.nft and pbr.iptables merged and
load_package_config()
stopped calling theappend_chains_targets()
iterator which was able to expand$usedChainsList
as needed.Is this functionality somehow incompatible with nft?