<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nftables gets confused by user namespaces when meta skuid is used"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1210">1210</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nftables gets confused by user namespaces when meta skuid is used
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>critical
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>bugz@yalis.fr
          </td>
        </tr></table>
      <p>
        <div>
        <pre>(for reference: <a href="https://github.com/systemd/systemd/issues/7800">https://github.com/systemd/systemd/issues/7800</a>)

### versions, the issue has been seen with

linux v4.14.9
nftables v0.8
systemd v236.0

OS : Up-to-date Archlinux (as of 2017-12-31)

### Expected behaviour

`sudo -u exim telnet smtp.bbox.fr 25` should be able to connect.

### Actual behaviour

`sudo -u exim telnet smtp.bbox.fr 25` times out.

### Steps to reproduce the problem

The setup is such:
* Archlinux host
* Archlinux systemd-nspawn guest (named `seuil3`), launched with the standard
`systemd-nspawn@.service` launcher, plus the following drop-in:
```
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=guest -U --settings=override --machine=%i
```

By changing `-U` (== with user namespace) with `--private-users=0
--private-users-chown` (== without user namespace) in the drop-in, the above
`telnet` works.

#### Host-specific configuration

`/etc/systemd/nspawn/seuil3.nspawn`:
```
[Exec]
NotifyReady=yes
Capability=CAP_NET_ADMIN

[Network]
Bridge=wire
```

`/etc/systemd/network/wired.network`:
```
[Match]
Name=en*

[Network]
Bridge=wire
```

`/etc/systemd/network/bridge.netdev`:
```
[NetDev]
Name=wire
Kind=bridge
```

`/etc/systemd/network/bridge.network`:
```
[Match]
Name=wire

[Network]
IPForward=yes
Address=XXX.XXX.XXX.aaa/mm
Gateway=XXX.XXX.XXX.1
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy accept
}
```

#### Guest-specific configuration

`/etc/systemd/network/00-wired.network`:
```
[Match]
Name=host*
Virtualization=container

[Network]
Address=XXX.XXX.XXX.bbb/mm
Gateway=XXX.XXX.XXX.1
LLDP=yes
EmitLLDP=customer-bridge
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy drop
  ct state {established, related} accept
  meta oif lo accept
  ip daddr /* LAN, DNS, NTP… */ accept
  …
  meta skuid exim tcp dport 25 accept
}
```</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>